> On 2 Nov 2021, at 21:08, Kevin Cole <[email protected]> wrote: > > On Tue, Nov 2, 2021 at 3:55 PM Hans Aikema <[email protected]> wrote: > >> Refering to the search box that IS already using https when you opted to >> browse the website using https? >> I consider it perfectly fine that the website offers an http search option >> when browsing the site with http, considering that it doesn't concern any >> privacy sensitive information. >> You should teach manners to your webbrowser. > > lilypond.org is the only site I've encountered that appears to have > this problem. Once in a while for other sites I encounter an expired > certificate, but that problem usually goes away in a day or two after > they get around to renewing their certificate(s). With lilypond.org, > it seems that it's always a crap shoot as to whether or not I'll get > the complaint from the browser. Since the problem seemed unique to > lilypond.org, I didn't consider it to be a browser problem. (Maybe > it's simply that the vast cache of Google, Duck-Duck-Go, et al, is > constantly offering up the "http" version as a starting point or some > such, as the first match…)
Many sites nowadays are configured with a ‘redirect to https’ at the http endpoint when they have an https version. That’s likely why you rarely encounter them. Some (most?) browsers nowadays can also be told to always try connect with https first and only fall back (after confirmation by the user) to http when that fails or switch to https when availabe (see e.g. https://beebom.com/how-enable-https-only-mode-chrome-firefox-edge-safari/ for how tofor the most popular browsers out there on internet). Looking at my google results for a lilypond related search it appears that google mixes http and https URLs in the results, with slightly more (6 out of 10) of the first page for "aligning lyrics lilypond 2.22” linking to the https urls of lilypond.org An advantage I see for continuing to offer both is that you can continue to serve old clients, while at the same time ensuring that anyone who visits you on https is guaranteed to have trustworthy encryption. Not all old clients can use the modern recommended TLS encryption settings, so by allowing them to fall back to ‘insecure http’ rather than allowing them to have a false sense of security by using ‘insecure TLS configuration’ or even worse ‘broken SSL’, you allow them continued use of your information while at the same time making it obvious that the connection to the information is not to be considered confidential/secure.
