UtahWatch:  tracking HTTPS in Utah

Total websites:  327
Total websites rated Good:  12

Total subdomains of Utah.gov:  134
Total subdomains rated Good:  1

Last updated:  

About

UtahWatch evaluates and rates the HTTPS support of the websites of a curated selection of Utah-based businesses, organizations, groups, individuals, and government entities. Entities that have a presence in Utah but are headquartered elsewhere are not tracked.

No other security assessment of these websites has been performed - these ratings do not indicate if a website is insecure, untrustworthy, or unsafe. Please contact the website owners directly with any questions or concerns about their security practices.

It is not practical to rate every website in Utah. Although the ultimate goal is to have all websites move to HTTPS, some editorial decisions must be made. My hope is that if the prominent sites listed here choose to implement high quality HTTPS then the others will follow.

Ratings will be produced at least once a month. Websites could be added or removed at any time. A best-effort log of updates will be kept at the SecureUtah.org blog.

UtahWatch is part of SecureUtah.org. Please visit SecureUtah.org to learn why HTTPS is crucial to a safe Internet, why it should be supported by every website, and why Utah should take the lead in promoting and supporting it.

Please send feedback to: choose+utahwatch@secureutah.org
Twitter: @SecureUtah

Ratings

UtahWatch uses a simple rating scale to make it easy to see if basic HTTPS has been achieved and to inspire change if it has not. Strong HTTPS has many moving parts that can be best evaluated using the Qualys SSL Labs and SecurityHeaders.io services.

A Bad rating is given if:

A Mediocre rating means a TLS connection can be established but there are quality issues with the site’s implementation, such as the HTTP site doesn’t redirect to HTTPS and/or the Strict-Transport-Security header isn’t set.

A Good rating is given if all of the above conditions are met. However, Good does not necessarily mean that a website's configuration work is complete (e.g. UtahWatch does not evaluate any subdomains besides WWW), nor does it mean that a website is free from other security risks or vulnerabilities.

Missing HSTS = Mediocre

Many of the sites that receive a Mediocre rating are missing the HTTP Strict-Transport-Security (HSTS) header or have the max-age value set to less than a year.

The HSTS header has become a vital part of helping visitors reach a website securely. Implementing HTTPS is not something that should be done piecemeal - without HSTS it is possible for an attacker to intercept a user's web traffic and prevent them from connecting over HTTPS. Thus, websites will not be rated Good unless they include HSTS.

Please read more about the importance of using HTTP Strict Transport Security:


Limitations

Some sites which UtahWatch rates as Mediocre might actually be unusable in a browser. This is mostly due to mixed content, which UtahWatch doesn’t always detect.

Although self-signed certificates are not inherently untrustworthy, UtahWatch gives a Bad rating to websites that use them because modern browsers will display a prominent warning to users when they try to visit those sites.

Aside from the basic hostname verification checks, UtahWatch doesn’t attempt to evaluate the quality of the TLS connection. Please use the provided SSL Labs server TLS testing tool link for each website to view an in-depth assessment. Please use SecurityHeaders.io to evaluate a site's HTTP response headers.

How to Properly Set Up HTTPS

SecureUtah.org provides a list of resources for deploying, configuring, and testing HTTPS.

Code

The code for UtahWatch is available on GitHub.

Credits

UtahWatch was created and is maintained by Jon Jarvis.

UtahWatch is a fork of HTTPSWatch.com. The HTTPSWatch project code is available on GitHub and was originally created by Benjamin Peterson. Many thanks to Benjamin for giving approval to fork his code and for providing early assistance to get UtahWatch going!

HTTPSWatch was inspired by Alex Gaynor’s blog posts about news sites’ HTTPS support.

Much respect to Qualys and Ivan Ristić for creating the excellent SSL Server Test that has become the de facto standard for testing and grading HTTPS.

Much respect to Scott Helme for making SecurityHeaders.io, a very useful and necessary tool that I wish I knew how to build.



Back to the top