1601 Exchanges
820 Websites
View Details
12 Using TLSv1.3
383 No TLS Support
View Details

I checked the public websites of financial exchanges, trading platforms, and markets to see how many of them used HTTPS to protect the contents of their website in transit.

Financial exchanges are organisations, such as NASDAQ, Deutsche Boerse, ASX, or Barclays, which are involved with handling a lot of transactions.

This year has seen an increase in the number of exchange websites that do use TLS. As an example, the JPX group in Tokyo, Japan - encompassing TSE, OSE, TOCOM - has added TLS recently, as did the ASX.

Why do you care?

In the July releases of most major browsers, any website that is delivered over HTTP is marked as insecure. That is not a good look for a financial exchange.

By "not a good look" I also mean that their regulators might be rapping some finger knuckles.

Actual trading isn't done through the website, typically. The website is responsible for non-trading materials such as exchange regulations, exchange orders, information on trading halts, publishing closing prices (which are used for benchmarks and settlements), resetting user passwords, and other terribly important things.

Also, exchange websites are terrific for watering hole attacks - something that HTTPS makes easier to spot.

I do not have enough space here to argue at length to convince every site must use HTTPS. Others have done so at more length and more eloquently. Instead, check with your regulator about the minimum security requirements you need, then add HTTPS.

Top numbers

There are 820 websites for 1601 exchanges in the 2018-06 ISO 10383 list. This is the master list for exchanges and markets. Note that multiple exchanges can share the same website.

383 have no version of TLS available.

TLSv1.0 = 310 sites. This is the minimum version that a website should have, and there should be plans in place to migrate away from its use.

TLSv1.2 = 369

TLSv1.3 = 12 ... well done on those that are able to get it into production so soon.

Note that these figures do not sum exactly which is because sites can have between 0 and 3 versions of TLS available. Also I was unable to check for SSLv3 because support is disappearing from the recent libraries I used.

For a complete table, check out the table, or a look at a chart.


  1. Download most recent list of exchanges from ISO
  2. Visit each website address
  3. Check if website redirects to HTTPS
  4. Check which TLS versions are supported

Sites that don't have TLS

438 sites didn't successfully complete a TLS connection. This involves certificate errors (untrusted issuers), incorrect hostnames (eg, where a company has been purchased by another, or they have only partially configured their Akamai setup), or simply not having TLS at all.

In this case, the best course of action for the exchange operator is to add TLS in front of your existing website. Or fix your configuration errors.

Sites that have TLS, but downgrade

There are a few fun exchanges which have TLS available on their sites, but in a fit of misconfiguration or foolishness will redirect you back to their plain text equivalents.

This is rather mind blowing. They have the technology, the certificate, but then force clients to not use it.

Software used

The main part of the search is done with Python 3 and a custom build of the latest PycURL/, libcurl/7.60.0, and OpenSSL/1.1.1. I wrote a bit of glue to parse the list of MICs, extract the unique websites, then check each in turn.

Additional checks

Symantec certificate authorities are deprecated and will soon be completely untrusted).

I only checked the supplied intermediates and not the entire chain. Also I didn't check whether they were from the new Symantec CA. Of the 33 that had a Symantec certificate in their chain, the ones that I spot checked had already been reissued and were accepted by the new Chrome browser.

Conclusions, Take aways, All the good stuff

For such important institutions the turn out a week before HTTP websites are marked as untrusted in major browsers is poor.

For sites that are under strict regulation about the quality of the security involved, to have sites that are still insecure HTTP is not great.

Want the full breakdown? Look at the Table.

There are different versions of TLS are available. Generally, any version is better than none. As sites can support any combination of plain HTTP (insecure), TLSv1.0 (weak), TLSv1.2 (best), TLSv1.3 (newest), there is quite a patchwork in the results.

Is the TLSv1.0 protocol enabled? It's going away.
Is the TLSv1.2 protocol enabled? It's the current state of the art. This must be true.
Is the TLSv1.3 protocol enabled? It's brand new so not widely available. Aim high!