Non-HTTPS Sites Are Still a Problem – What You Can Do

Around 6% of the 1800+ most-visited websites in the world don’t use HTTPS

Whenever you visit them, you won’t find a small padlock icon near the URL. This lets you know that your data can be intercepted and spied on. Cybercriminals can see your passwords, private messages, financial details, and anything else you share or do on an unsecured connection. 

Back in 2014, Google recommended that sites switch to HTTPS to protect their visitors. Almost a decade later, too many websites are still lacking in that department.

Why? What does this mean for you, and what can you do to protect yourself online?

What Are HTTPS (& Non-HTTPS) Sites?

Let’s break it down. Before HTTPS there was HTTP.

HTTP stands for:


It refers to a set of rules pertaining to transferring data over the internet. HTTP is the foundation of the world wide web as we know it, and it predates HTTPS. HTTPS is a later addition, with the S standing in for “secure.” 

HTTPS uses Transport Layer Security (TLS) or Secure Sockets Layer (SSL) encryption to secure a HTTP connection between a website and your browser. This encryption ensures that no third party can see what you’re doing on a particular website. Only you and the website can see and access that information. 

Cybersecurity experts recommend HTTPS for all websites. Cybercriminals can easily snoop on HTTP traffic and intercept your data. You can check if you’re on a HTTPS website by looking at the URL in your browser. A lock symbol means your connection is secure.

Screenshot of a browser with the lock symbol highlighted proving a HTTPS connection
Locked and loaded

For HTTP however, you’ll get a warning sign or a Not Secure message. Depending on your network settings you can also receive a warning page, so you won’t miss it.

Screenshot of a browser with a Not secure message highlighted showing a HTTP connection
Don’t ignore that warning sign!

It’s easy to spot.

Why HTTPS Is Important

HTTPS doesn’t mean a website is 100% secure but it offers some level of security. The internet was built for sharing information faster, but no one could have predicted the degree at which the digital space would evolve.

Businesses are thriving online, data mining is a common practice, and we’re uploading more and more of our information to the cloud. This is why you need at least basic security when surfing online.

For your safety, HTTPS is paramount for websites that require you to type in:

          • Personal Identifiable Information (PII), like usernames, email addresses, and social security numbers
          • E-commerce transaction data, like credit card numbers, bank accounts, and crypto wallet information
          • Other sensitive data, like political opinions, religious beliefs, and medical records

That said, not every page is on board with HTTPS. Even big and popular sites like or are still stuck on HTTP territory. 

Why is that? Well, up until 5-10 years ago, many believed a static website doesn’t need HTTPS. This means that news websites, for example, wouldn’t need HTTPS. It was generally assumed you wouldn’t need to enter any details to read an article. While that’s true on principle, the introduction of paywalls, newsletters, social media plugins, and data analytics changed that.

With HTTPS being easier than ever to implement, there’s really no excuse for websites to serve content over unencrypted connections. If you own a domain or website, don’t delay implementing HTTPS. It’s free and quick.

Check the Website Certificates

HTTPS is great, and it makes you feel safe seeing the little padlock icon there. It’s not the ultimate security test though. Sites that previously had HTTPS can still show the padlock even if the certificates have expired. This means the website isn’t actually secure anymore.

Do your due diligence and check a website’s certificates before typing in any private information. Here’s how:

  1. Click on the padlock icon
  2. Click on Connection is secure
The 61 cookies might cause issues among some users though.
  1. See if Certificate is valid is displayed
Screenshot highlighting Certificate is valid setting on
This is what you should look for.

You can also click on Certificate is valid to check the validity period and the issuer. This is especially important for banks, payment processors, governmental websites, or healthcare provider websites, since these typically handle a lot of private data. If the certificate is expired, don’t type any personal information, including passwords, into the website.

Force Websites to Use HTTPS

Since HTTP is the basis of our current online communication, all sites have an HTTP version but most simply redirect you to their HTTPS version automatically. In some cases, the website’s host didn’t or couldn’t implement the redirect command, or the encrypted page’s feature links go back to the unencrypted version.

In this situation, you can try forcing the site to use HTTPS. Keep in mind this won’t work if the website doesn’t have a valid certificate. To do this, you simply have to manually add the s in the URL bar. 

Yes, it’s tedious to constantly check if your connection is secure. This is why plugins like HTTPS Everywhere are a lifesaver. The Tor Project and the Electronic Frontier Foundation collaborated to create this free plugin to make security a little more accessible. 

Keep in mind HTTPS Everywhere can protect you only when you’re using sites that support HTTPS. The plugin can also block unencrypted requests by default, in case you ever forget to check for the padlock. It’s compatible with major browsers like Chrome, Firefox, and Opera. It even comes included with some privacy browsers, including Brave and Tor

Make Your Site HTTPS in 5 Easy Steps

If you use a web hosting provider, they may offer HTTPS setup. If you want to install it yourself, for free, you’ll need a SSL/TLS certificate. Let’s Encrypt is a global Certificate Authority (CA). As a nonprofit, they offer Domain Validation (DV) certificates free of charge. These certificates are valid for 90 days. It’s recommended to renew the certificate every 60 days, though, to ensure your website stays secure.

For the purpose of this guide, I’ll assume you have Shell (SSH) Access to your server. This means you have command line access which makes things a lot easier for you.

  1. Go to Let’s encrypt.
  2. Click on Get Started.
  3. Let’s encrypt recommends a Certbot ACME Client, so choose that option.
  4. Select your software and system.
  5. Follow the on-screen instructions.

The exact steps depend on your setup, but Certbot thoroughly explains the entire process.

Keep in mind that to use Certbot, you’ll need:

          • Shell access
          • An online HTTP site hosted on a server
          • Port 80 open

If you’re not a domain owner and just want to stay safe online, you’ll need to take a proactive approach. You can’t force websites to always use HTTPS, but you can secure your connection with a VPN. As a universal security tool, a VPN is great for boosting your privacy by preventing further snooping on HTTP and HTTPS alike.

Important: A VPN can’t prevent cybercriminals from intercepting and reading the data you type into a website that only uses HTTP. A VPN can prevent them from tracing that information back to you using your IP address. If you enter sensitive information into a website and its security is lacking, your data may still be stolen.

Secure Your Connections with CyberGhost VPN

A VPN stands for virtual private network and it works by encrypting your internet connection, and swapping your IP address. CyberGhost VPN uses military-grade 256-bit AES encryption. It’s an encryption standard renowned for its security, which is why military bases and governments worldwide use it to secure classified information. 

CyberGhost VPN also has VPN apps for all major operating systems, like Windows, macOS, Android, iOS, Linux, and many others. No matter what you use to surf the internet, you can secure your internet traffic. 

As a general rule, you’d best avoid HTTP sites. If you absolutely must, then you need to encrypt your connection with CyberGhost VPN. Even if cybercriminals are snooping on the HTTP communication, they won’t be able to trace that information back to you or hijack your data in transit. CyberGhost VPN helps to anonymize you and keep you safe from prying eyes.

HTTPS is great to have but it’s only a basic online security setting. It doesn’t protect you from cyber attacks, data mining, or malware. CyberGhost VPN is still a huge boost to your online security on HTTPS sites. When it comes to security, HTTPS on its own falls short of what you need and compares poorly to what a VPN can do for your digital safety.

HTTPS (SSL/TLS encryption)CyberGhost VPN (AES 256-bit encryption)
Encrypts data sent via browsersEncrypts your internet traffic from the web server to your device
Is vulnerable to attacks like Root Certificate attacks, man-in-the-middle attacks, and DDoS attacksHolds up against various cyber attacks, including Root Certificate, DDoS, and man-in-the-middle attacks
The security depends on the type of algorithm usedVery secure encryption that’s impossible to crack
Doesn’t impact your IP addressProtects your IP address
Doesn’t secure your browsing historyEncrypts your DNS requests to protect your online history

Besides security, you get many other benefits with CyberGhost VPN.

Best yet? You get a risk-free 45-day money-back guarantee to safeguard your purchase.

Stay Safe Online

The internet can be a scary place. Just like you wouldn’t go out flaunting your wallet or your home address, you wouldn’t want your data out there. Unsecure HTTP sites do nothing to protect your information.

HTTPS is the bare minimum when it comes to online security which is why you’ll want to avoid HTTP. But you can do better. Use CyberGhost VPN to encrypt your entire internet traffic with uncrackable 256-bit AES encryption. This gives you a leg up over HTTPS and protects your data even outside the browser.

When companies out there don’t even do the bare minimum to secure your online identity, take matters into your own hands with CyberGhost VPN


Are non-HTTPS sites safe to visit?

Non-HTTPS sites aren’t inherently dangerous, but they lack even the most basic security. This means you should tread lightly and never enter any personal data on these sites, since it can easily be intercepted by third parties. 
That said, most of the dangerous websites out there are non-HTTPS websites.

Phishing scams and malware thrive on unsecured sites, so it’s still best to avoid HTTP entirely. If you absolutely must, consider using CyberGhost VPN to secure your traffic. It comes with a risk-free 45-day money-back guarantee, so you can test our security features for as long as you need!

Why do some websites not have HTTPS?

There are multiple reasons. Some low-traffic sites might not find it worthwhile to invest in an HTTPS certificate. Some website owners might consider they don’t collect enough user data to warrant the need for encryption. Some website owners still use outdated hosting services, and don’t know they’re missing out on a secure connection. 

Virtual hosts can host multiple websites from the same server, which makes them a very cost-efficient option, but almost all virtual hosts don’t support HTTPS. And lastly, HTTPS makes it more difficult to cache data across sessions, so data miners might choose not to implement it.

Do any websites still use HTTP?

Yes, there are still websites that use HTTP. Most of them are sites with a low traffic volume that might not find it a cost-effective idea to invest in HTTPS. Some big websites still use HTTP despite security concerns. Popular Chinese news sites like Xinhua and China Daily are popular examples of domains that don’t redirect to HTTPS. Neither does Baidu, the Chinese equivalent of Google. 

The lack of encryption means that any third parties can easily intercept your traffic on these websites. Stay safe by using CyberGhost VPN to protect your data with our 256-bit AES encryption and secure encryption protocols.

Can a VPN protect me from HTTP sites?

CyberGhost VPN adds a layer of encryption to your connection and swaps your IP address with an anonymous VPN address. This helps anonymize your online browsing and protects your data from snooping eyes. That said, a VPN can’t compensate for the lack of security on HTTP. It just anonymizes you. Cybercriminals can still intercept your information on an HTTP site, but if you use CyberGhost VPN they won’t be able to trace your data back to you.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*