britram
commented
5 years ago Working on this now; is there, off the top of your head, a good citation for ratcheting each browser ratcheting UX changes on security on the browser side? ironically my google-fu yields only the announcement from Google on Chrome and a bunch of complaining in the SEO-osphere.
martinthomson
You mention paying people to deploy DNSSEC. You might want to look closer at similar things that drove the "success" of HTTPS.
The success of HTTPS is in no small part to several concurrent forcing functions:
Tampering - Whether it be the NSA, ISPs, or enterprises that concerns you, using encryption to avoid "assistance" and interference from intermediaries has provided strong incentive to encrypt. I have LOTS of examples I could help with, but you probably don't need them.
Interventions - Google in particular has made some non-trivial changes that motivate the use of HTTPS. Foremost being their decision to penalize the PageRank of sites that don't offer HTTPS. The efforts of browsers to penalize cleartext use might have had some effect here as well - browsers are withholding features from sites that don't encrypt.
There are a bunch of other factors, not the least being the huge amount of effort invested in removing barriers. Let's Encrypt is probably the most notable here, not so much by smashing the cost-in-dollars, but by providing a common platform for enrollment and certificate acquisition, which addressed the operational costs.
I would also be cautious in declaring victory. HTTPS adoption looks good from the perspective of big sites and browser metrics, but until you can type "example.com" into a browser and have it interpret that as "https://example.com/" and expect that to work - with HSTS - then I don't consider HTTPS to have won.