Scott Helme & Troy Hunt Highlight Ongoing HTTPS Adoption Gaps Across the Web Ecosystem
What Happened — In the latest “Weekly Update 510,” Troy Hunt and Scott Helme released fresh scan data showing that a significant share of publicly‑facing sites still serve content over plain HTTP. Their analysis of the top‑1 million domains found ≈ 12 % without TLS, and many of those sites also lack HTTP Strict‑Transport‑Security (HSTS) headers.
Why It Matters for Compliance & Audit Readiness
- Missing TLS violates SOC 2 CC6.1 (Encryption in transit) and can be cited as a control‑failure during an audit.
- Continuous evidence of HTTPS enforcement is a core component of a defensible audit trail for security‑focused engagements.
- Verisq’s Control Mapping capability lets you automatically map TLS/HSTS compliance to SOC 2 controls and capture ongoing proof for auditors.
Who Is Affected — All industries with web‑facing applications (e‑commerce, SaaS, fintech, health‑tech, etc.).
Recommended Actions
- Inventory every public endpoint and verify TLS termination.
- Deploy HSTS with a long max‑age and include the
preloadflag where appropriate. - Integrate a continuous‑monitoring service that flags HTTP‑only sites and logs remediation steps as audit evidence. Source: Troy Hunt Weekly Update 510
Technical Notes – The scan leveraged TLS‑Scanner (v2.3) and identified sites lacking TLS, using outdated cipher suites, or missing HSTS. No CVEs were involved; the issue is a configuration gap that leaves data in‑transit exposed to passive eavesdropping. Source: same