They have it on HTTPS, and always redirect to HTTPS, so they’re half-trying.