(SecureDrop developer here) That's why we created https://securedrop.org/directory (HTTPS, HSTS, preloaded, .onion available, etc.). Use that instead! Also, we have strong recommendations for the news organization's "landing pages" (e.g. https://theintercept.com/securedrop/), including requiring HTTPS, to prevent this and other obvious security issues.