Open alexzorin opened 9 years ago
You are correct. However, one of the goals of HTTPSWatch is to advocate for HTTPS everywhere not just "secure" areas. That is why we mostly link to homepages.
To avoid many vulnerabilities it's critical that all pages use HTTPS.
For example, a visitor easily gets p0wned by MITM + phishing if the brochureware website is HTTP-only (or without HSTS). I think this issue can be closed.
In almost all cases, banks have brochureware websites with distinct separated internet banking domains/hosts.
Imo it doesn't make much sense to be testing the brochureware endpoint, which is currently all that is tested. Any potential issues in the actual internet banking section are not going to be uncovered.
i.e. onlinebanking.tdbank.com vs tdbank.com
The list of banks should either be better curated or have a disclaimer that httpswatch does not actually evaluate the internet banking part of the website, just the brochure part.
Thanks for your work