My web host recently added, without asking, an SSL certificate free of charge to the accounts of all their customers. For my site the result is that requests for both http:// and https:// versions of the same URL now resolve. Except for unsecure parts of the page, such as images, due to "mixed content". cPanel states that those having requested HTTPS adresses have found them via Direct address / Bookmark / Link in email. Probably they have just tested. Those having utilised HTTPS have all also requested a file named .well-known/dnt-policy.txt and gotten a 404. That file appears to contain an EFF do not track compliance policy.

The security warnings in browsers and the lack of images will of course confuse my visitors. But this will also cause canonical issues when Google finds out or if people start linking to HTTPS URLs. So I would like to somehow block https:// requests in .htaccess. In the cPanel File Manager I am obviously able to change the permissions (now 0751 or 0600) for the files within the SSL directory, but maybe I should not mess with that.

(Kindly refrain from suggesting I go HTTPS. This is an old and well established but small non-profit information/hobby site whose visitors do not need HTTPS. I dislike Google and Chrome trying to force me, because in this case there really are no benefits for the user, but a lot of disadvantages for the old html site as well as extra work for me.)

Under the Downloads heading in cPanel's Awstat for the "non-secure site" hundreds of requests for files like /F052E0C3E90C46DE4****C2CA38728A3.txt have started to appear. At least some of these files are SSL certificate numbers "used" by my "secure site". Previously the Downloads section consisted only of PDFs. I find those listings annoying. Why do they appear for the "non-secure site"?