I'd like to build a script of some kind that can tell if a website uses https or not.
What is a way of programmatically determining this? I tried visiting one of my own domains that I know does not have https, but the server still gave me a 200 code (at least, according to a Chrome extension that I use).
Is there some sort of error that I can catch, or some other piece of information that will be consistent from site to site?
Theoretically, it's rather up to you to know in advance whether you should use HTTPS or not. By this, I mean there is a part of judgement from the user to expect to use HTTPS for certain sites. In the real world, you would generally have different security expectations when walking into your bank and walking into a coffee shop. You wouldn't generally be willing to give the same sort of details to someone behind a bar as you would to your banker. The same applies on the web.
That said, you can indeed test whether you can establish an HTTPS connection to a certain website or not. The problem is that not being able to establish this connection can mean a few things:
Many sites will try to upgrade you from HTTP to HTTPS via a redirection to make the user aware that HTTPS is available and hopefully make them expect it next time they visit that site. Some sites will even use HTTP Strict Transport Security (HSTS) to force you to remember that upgrade next time you visit that site. This is a reasonable compromise if you can assume your first connection is not tempered with.
What is a way of programmatically determining this? I tried visiting one of my own domains that I know does not have https, but the server still gave me a 200 code.
If your domain doesn't have a valid certificate, the certificate validation should fail, and you shouldn't be able to get any HTTP status code in response at all.
I would guess that the script you've used doesn't do any certificate verification, and perhaps that those domains point to a shared hosting environment, where other services with the same IP address are HTTPS-enabled.
You should at the very least make sure that your script validates the certificate properly:
Not all SSL/TLS libraries have this enabled by default (especially the second point).
I'm not sure what you're using for your script or what the extension you mention does. For example, if you're using curl, make sure you're not using -k or --insecure, and you're using wget, make sure you're not using --no-check-certificate. If you're using libcurl, you should make sure you're using the VERIFYPEER and VERIFYHOST properly. Look for similar options in other implementations if this is not what you're using, and don't ignore the browser warnings.
On Windows you could use the free Basic Edition of HttpWatch and its automation interface to write a program that accessed sites you want to test.
The Error property on Entry class would allow you to detect cases where the HTTP connection failed.
