Neither do Verisign, Entrust, TrendMicro, IdenTrust, StartCom which are root certificate authorities your browser trusts right now. All of their sites are accessible over HTTP. It doesn't really say anything about whether you should trust their CA businesses.

The GP wasn't pointing out that Amazon is "accessible over HTTP". He was making the much stronger point that Amazon doesn't even offer HTTPS on most of its site.

I don't think any of the big (or small) corporations should be trusted, but in the case of Amazon, the question of trust in connection to data is much bigger than trusting them not to abuse powers from having SSL certs in the browser. They already run a huge part of the infrastructure of the Internet, and have the possibility of reading the private SSL keys of a number of services by virtue of hosting them.

The CA system is broken by design, but I don't think adding Amazon will make much of a difference either way.

The latency increase for HTTPS actually causes a measurable conversion difference in the e-commerce space. It sucks but it's true.

edit: Downvoters--have you ever done measurements? Why do you think Amazon redirects HTTPS to HTTP for product pages? It actually matters and at their scale it's real money.

Why would a redirect from https to http and then an http page load be faster than just returning the page over https? You're taking the SSL handshake latency hit either way.

I'm not sure I agree with you but still I found it a bit funny how many of the URLs in the ticket were http instead of https.

You arguably shouldn't. We have way too many providers of certs as it is (including the Hong Kong post office, because reasons).

The answer isn't to attack Amazon, but to move to a model where basic certs (including wild card certs) are free or you don't get your root certificate in, only 3 companies get their cert in and none of the may be based anywhere but Germany or other countries that respect privacy.

But that is just the opinion of this random, angry, nerd.