5 Big Name Websites That Are Not Secure

5 Big Name Websites That Are Not Secure

Starting this July, Google Chrome is going to begin marking any website whose URL begins with the letters “http” instead of “https” as not secure. Many business owners may be seeing this as an inconsequential change, but it will have a far greater impact than one might initially imagine. This won’t just impact small to mid sized businesses—it’s a major change that will cause headaches for some huge organizations.

Here’s a shortlist of some big-name websites that haven’t made the switch to https yet, and are still considered “Not secure”:

Please note this was published in 2018. Many of these websites are now using https. Read our updated post for updated information on web security threats.


The worldwide leader in sports is perhaps the most premier example of a website with a surprising lack of visible web security.

As a premier property in the Disney media network family, ESPN stands to get hit with some of the statistical bounce rates should their domain remain https after Google Chrome’s switch. Especially considering the varying logins supported by the site — whether it be for Fantasy sports, ESPN Insider subscribers, or simply customized user accounts — it’s remarkable to see their domain in such a condition.

The reason for ESPN’s lack of a visibly secure secure connection appears to stem from the website’s data relay infrastructure. In this Reddit thread, one user claims to have worked on the initial login system for Disney as it relates to ESPN. Supported by data they posted on Github, the user outlines how ESPN is structured so that login sub-domains send their data to a secure https backend system. So while the main site does not display https security, the data is in fact being securely transferred.

While this may be good news for ESPN users, it’s still news. The main site does not display the security label, and Chrome goes so far as to re-label the URL as not secure when you click on the login button. So while the data is actually safe, ESPN users won’t know it without research.

At the same time, such a large network undoubtedly has the resources to make the necessary conversion in a timely manner, and it would be surprising if the ESPN team was not already in the final stages of preparation for such a switch.

Fox News

Many media agencies will be hit by this change in Google Chrome’s policy, but as we begin to see with the rest of this list, perhaps the most visible industry affected will be the news industry.

Despite being the most popular cable news network for the past decade, Fox News’ website is still behind the ball in this area. While the network’s focus is absolutely on the television medium — their top-right Call To Action says “Watch TV” of all things — it’s still shocking to see such a highly-engaged news outlet avoiding this change in 2018.

Another common trend we will begin to see with these websites is the login portal being hosted on a subdomain with https enabled. The user portal on Fox News’ website is https protected, as we can see with the screenshot below, although the formatting errors suggest that the website overall is not considered the largest priority by the administrators.


Another news outlet looking to get hit hard by the “Https Apocalypse,” Fortune Magazine’s website showcases similar subdomain login and formatting issues that plague Fox News’ website.

Below, we can see that the login subdomain is HTTPS, but it is actually not fully secured. This will still result in significant bounce rates from this site.



A lack of a secure website reaches across all forms of media, and bbc.com is no exception.

Strangely enough, the European domain bbc.co.uk appears to be secured, but this site is inaccessible to United States search engine users, as it redirects to the non-secured version of bbc.com.

On the login side of things, BBC’s login subdomain is in fact secured, as we’ve seen with previous news organizations. In a slightly better showing than ESPN, the BBC portal opens in a new window featuring the https URL in the address bar (as well as a lovely image of David Attenborough).

California, Florida, and Ohio

Nope, it’s not just a private sector problem.

We’re cheating here a bit and combining these together, but since they’re such big states, we felt it worth including all of them. Three of the top 10 most populous states in the country — with California being #1 and Florida being #3 — don’t have https secured websites.

In fairness to these states, they all seem to more frequently update their subpage on the usa.gov website (which is https secured). However, the domains ca.gov, myflorida.gov, and ohio.gov are all without the proper security, and these are the first results which are shown to users on Google looking for the state’s own website.

As demonstrated by these websites, business owners and website administrators across markets have not all treated their domain security as the priority it should be treated as.

While most of these websites will likely be changed quickly after Google Chrome initiates it’s new policy, many small businesses do not have the resources or the knowledge of how to combat this change. That’s where we want to help.

Switch to https today

Contact us to talk about how you can get ahead of big websites like ESPN and BBC by securing your domain. Our process is fast, efficient, and reliable.

All screenshots were taken on July 14, 2018 using Google Chrome Beta. The UI of the browser connection display is expected to go stable with the release of Chrome 68 on July 24, 2018.