Re: LilyPond website is not available in some countries

[Hans Aikema]

> On 2 Nov 2021, at 21:08, Kevin Cole <dc.loco@gmail.com> wrote:
> 
> On Tue, Nov 2, 2021 at 3:55 PM Hans Aikema <hans.aikema@aikebah.net> wrote:
> 
>> Refering to the search box that IS already using https when you opted to 
>> browse the website using https?
>> I consider it perfectly fine that the website offers an http search option 
>> when browsing the site with http, considering that it doesn't concern any 
>> privacy sensitive information.
>> You should teach manners to your webbrowser.
> 
> lilypond.org is the only site I've encountered that appears to have
> this problem. Once in a while for other sites I encounter an expired
> certificate, but that problem usually goes away in a day or two after
> they get around to renewing their certificate(s). With lilypond.org,
> it seems that it's always a crap shoot as to whether or not I'll get
> the complaint from the browser. Since the problem seemed unique to
> lilypond.org, I didn't consider it to be a browser problem.  (Maybe
> it's simply that the vast cache of Google, Duck-Duck-Go, et al, is
> constantly offering up the "http" version as a starting point or some
> such, as the first match…)

Many sites nowadays are configured with a ‘redirect to https’ at the http 
endpoint when they have an https version. That’s likely why you rarely 
encounter them. Some (most?) browsers nowadays can also be told to always try 
connect with https first and only fall back (after confirmation by the user) to 
http when that fails or switch to https when availabe (see e.g. 
https://beebom.com/how-enable-https-only-mode-chrome-firefox-edge-safari/ for 
how tofor the most popular browsers out there on internet).

Looking at my google results for a lilypond related search it appears that 
google mixes http and https URLs in the results, with slightly more (6 out of 
10) of the first page for "aligning lyrics lilypond 2.22” linking to the https 
urls of lilypond.org

An advantage I see for continuing to offer both is that you can continue to 
serve old clients, while at the same time ensuring that anyone who visits you 
on https is guaranteed to have trustworthy encryption.
Not all old clients can use the modern recommended TLS encryption settings, so 
by allowing them to fall back to ‘insecure http’ rather than allowing them to 
have a false sense of security by using ‘insecure TLS configuration’ or even 
worse ‘broken SSL’, you allow them continued use of your information while at 
the same time making it obvious that the connection to the information is not 
to be considered confidential/secure.