[jtakkala]

I completely agree about having a dedicated team, and I'd expect a company of their nature to be at the forefront of security best practices.

I just checked some Equifax domains against SSL Labs, and while their Canadian site (https://www.econsumer.equifax.ca) scores an A-, it has no forward secrecy. I'm surprised to see a modern web server not supporting FS today. Worse, the main entry point to their Canadian site (http://www.consumer.equifax.ca) as indexed by Google does not redirect to a TLS enabled page, although they do seem to have a TLS endpoint for that domain -- but not sure how people are expected to get to it.

Edited to add: The first link is only accessible through a redirect by clicking on the "Get Started" button on their main Canadian site. Furthermore, even selecting Canada from the drop-down on https://www.equifax.com/personal/ redirects to the insecure non-TLS site.

[jlgaddis]

The results of a scan of equifaxsecurity2017.com by Mozilla's "Observatory" do not inspire confidence either:

https://observatory.mozilla.org/analyze.html?host=equifaxsec...

[FabHK]

Wouldn't an extension like HTTPS Everywhere do it for you? (Provided you're savvy enough to have it installed; in other words, they should still put in that redirection...)

https://www.eff.org/https-everywhere

[jtakkala]

I've got HTTPS Everywhere running and it doesn't appear to have a rule since I'm still hitting the non-TLS site.

[avip]

My rule-of-thumb for assessing security mindset is STS header. Which they don't have. That tiny Norton secured icon does not make me extra confident.