They get bonus points for their Let's Encrypt cert and a solid 'A' on SSL Labs (some amusing alt names on the cert though - not their fault and no big deal).
Maybe someone at the bank will realize soon that HTTPS is for more than protecting log-ins, it guarantees the integrity of the page and makes sure the browser displays only and exactly what was sent, with no tampering in transit.
They just chose to have a hosted blog from Wordpress with a custom domain, Wordpress chose to use a Let's Encrypt certificate and to lump a bunch of different customers' custom domains into one certificate request hence the alt names.
Not really, the host is already trusted (as explained in the parent comment). The domain owner is free to obtain a different certificate with a new private key that only they know if they wish. When you choose to use shared hosting you are already delegating plenty of trust so it's reasonable to use the host's private key.
Bank of England primary website: HTTP only
They get bonus points for their Let's Encrypt cert and a solid 'A' on SSL Labs (some amusing alt names on the cert though - not their fault and no big deal).
Maybe someone at the bank will realize soon that HTTPS is for more than protecting log-ins, it guarantees the integrity of the page and makes sure the browser displays only and exactly what was sent, with no tampering in transit.