The HTTPS and HTTP conundrum (posted 2021-11-22)
The past few days I have added HTTPS support to bgpexpert.com and iljitsch.com. About ten years ago, I experimented a bit with SSL/TLS (HTTPS) support in Apache, and that was rather difficult.
But no more. Thanks to the efforts of Let's Encrypt and the ACME protocol as implemented in certbot, adding HTTPS support to your websites is now almost ridiculously easy: just install certbot, run it with --apache and a list of your domains... and that's it! (Remember those certs expire in 90 days, so set up automatic renewal.) I was initially worried about the number of subdomains I use, but 30 of them is not a problem.
However, there are complications, which all go back to the rather bad decision to use HTTPS rather than HTTP in URLs and use a separate port number for HTTPS. This means that you can't just negotiate the best security supported by both sides. Instead, HTTP is never encrypted, and HTTPS is always encrypted.
So that means if you just enable HTTPS and do nothing else, all the visitors to your website will still use HTTP. I'm actually fine with that, as I feel that providing the option to encrypt an HTTP session is sufficient. In my opinion, for the sites I'm running, being able to access them over HTTP should HTTPS not work is a pro, not a con. Should you wish to go further, the recommended approach is to have your web server redirect requests from HTTP to HTTPS.
What I'm doing here on iljitsch.com is just enable HTTPS and see what happens. I'm especially interested in seeing if/when/how Google will discover the new HTTPS capability. Once you're on on iljitsch.com using HTTPS, I want to keep you there, so I've changed all the links to use protocol-relative URLs. As I'm using subdomains for some stuff, I do need to specify www.iljitsch.com, but I do that by using //www.iljitsch.com/ rather than http://www.iljitsch.com/ or https://www.iljitsch.com/, so if you're on HTTP, the links will be HTTP links, but if you're on HTTPS, the links will be HTTPS links.
On bgpexpert.com, on the other hand, I want Google to find the HTTPS version of the site as soon as possible, so I've changed some of the scripts to redirect from HTTP to HTTPS, along with using relative or protocol-relative URLs everywhere. However, in the future I may remove these redirects and use other mechanisms to make Google prefer the HTTPS version rather than the HTTP version of the site. Not entirely sure yet what's the best way to do that.
One benefit of using HTTPS is that links to my images on other sites, including RSS readers, now work. So let me take advantage of that.
