HTTPS worked perfectly in 1995. Banks used it. E-commerce sites used it. Everyone else ignored it for twenty years. By December 2015, 39% of page loads used encryption. Then something shifted. Within five years, 84% of page loads globally ran over HTTPS. This October, Chrome will default to HTTPS for three billion users, attempting secure connections automatically, warning before accessing HTTP sites.
The technology stayed the same. Economics and social pressure shifted.
Optional infrastructure for a generation. Mandatory in less than a decade.
The $50 Problem Disappears
Let's Encrypt launched, issuing free SSL certificates to anyone who wanted them. Before that, certificates cost money. Not much—maybe $50-200 annually—but enough friction that small sites, personal blogs, internal tools stayed HTTP. The security argument existed. The economic argument didn't.
Free certificates removed the excuse. Within a year, HTTPS adoption more than doubled, from 5.5% to 12.4% of websites in HTTP Archive data. By October 2016, over half of page loads used encryption for the first time. The technical capability had existed for two decades. The economic barrier had been there the whole time, invisible until it vanished.
Your Site Gets a Warning Label
Chrome started marking HTTP sites with password fields as "not secure" in January 2017. Eighteen months later, Chrome 68 marked all HTTP sites as "not secure." Static pages, blogs, documentation sites, everything.
Your site suddenly had a warning label visible to every visitor. Password fields or not, payment processing or not, the browser was telling users your site was unsafe. Product managers got emails from confused customers. Marketing teams fielded questions about whether the company had been hacked. Support tickets piled up.
Organizations that had resisted HTTPS for years upgraded within months. The browser made unencrypted sites look broken. By 2020, 94-99% of Chrome traffic in the United States used HTTPS. The holdouts stood out as conspicuously unencrypted in a way that made them look either negligent or incompetent.
The Default Flips
Chrome's October 2026 change completes the shift. The browser will attempt HTTPS connections first and display a warning before accessing HTTP sites. Users can still proceed, but they have to actively choose insecurity rather than passively accept it.
Each step made the next one possible. Free certificates made adoption economically rational. Browser warnings made it socially necessary. Widespread adoption made holdouts conspicuous. Twenty-five years from optional feature to mandatory infrastructure. The protocol was ready in 1995. The ecosystem needed until 2026 to catch up. Technical readiness was necessary but insufficient. The real work was restructuring incentives so that the new baseline became cheaper and easier than maintaining the old one, then creating enough social pressure that holdouts couldn't ignore it.
Infrastructure shifts take decades, even when the technology works from day one.