The general situation with HTTPS is far from ideal, a lot of HTTPS site have mixed content (secure and unsecure), a lot of sites still have log-in data going unencrypted over the wires. Safer Chrome Security extension will alert you for these unsecure log-ins.
Security Header Implementations are overall missing in a lot of instances (check here:
http://cyh.herokuapp.com/cyh )
or we see warnings where not best practices are followed, see the Recx Security Analyzer extension results. For Heartbleed (yes issues still around), Poodle and weak encryption via SHA-1 check here at:
https://shaaaaaaaaaaaaa.com/check/Sitereports can be had via Netcraft reports:
http://toolbar.netcraft.com/site_report?url=An online poodlescan:
https://www.poodlescan.com/Sometime the encryption keys are served from the weak side up, which makes the danger of websites being compromised even more outstanding
(so we will see still a lot of unsecure website server configurations and incompetence or cases of bulk hosting where money comes first and security is often a last resort issue).
Online test:
https://sni.velox.ch/I do these scans every day and all of the day, I can assure you that especially the enforced HTTPS Everywhere sites may come rather insecure. What about encrypted ad malware, it becomes so much harder to detect. Another example why one needs a decent adblocker.
Also extensions like NoScript and RequestPolicy in firefox and ScriptSafe and uMatrix in Google Chrome are no longer just a protective luxury. Whenever you have learned how to toggle them rightly you have a tremendous weapon against your browser being infested with malware all sorts.
polonus (volunteer website security analyst and website error-hunter)
P.S.
Test ocsp:
http://security.stackexchange.com/questions/12735/what-web-browsers-support-ocsp-stapling-are-the-privacy-and-performance-featureRead:
https://www.grc.com/revocation/ocsp-must-staple.htmD
