In 2014, fewer than four in ten web pages loaded over an encrypted connection. By 2019, roughly 80 percent did. The entire web upgraded its security posture in about five years. For foundational internet infrastructure, that kind of change almost never happens. The conditions that made it possible turn out to be so specific they raise an uncomfortable question about everything else.
The sequence started with a carrot. Google announced in August 2014 that HTTPS would become a search ranking signal, a lightweight one affecting fewer than one percent of queries. Then Let's Encrypt entered public beta in December 2015, issuing free certificates to anyone who asked. The cost barrier that had kept small site operators on plain HTTP vanished. By February 2020, Let's Encrypt had issued a billion certificates. Free certificates removed a real barrier. And yet plenty of internet security improvements are technically available and sit unadopted for decades. Routing security has had workable patches since the mid-2010s. The HTTPS transition had an additional ingredient: a bottleneck.
Chrome 56 started labeling HTTP pages with password fields as "Not Secure" in January 2017. By July 2018, every HTTP page got the label. Firefox ran a parallel track. Chrome held roughly 54 percent of global browser market share during the enforcement window. One product served as the chokepoint through which most web traffic flowed. Google didn't need to coordinate with thousands of independent actors. It updated its own browser. Site operators who ignored the change lost rankings and gained a warning label that eroded visitor trust in ways they could feel immediately.
A free certificate authority, a dominant browser willing to punish non-adoption, and a search engine willing to reward compliance, all controlled or heavily influenced by overlapping actors, arriving within a four-year span.
Routing lives in a different world. The Border Gateway Protocol, which determines how traffic navigates between networks, has well-documented security gaps understood for decades. RPKI lets network operators cryptographically verify route announcements. Route Origin Validation lets others reject invalid ones. The patches exist. But adoption requires coordination among tens of thousands of independent operators, each running their own cost-benefit calculation. Signing your routes only matters if others validate. Validating only matters if others sign. No browser-like chokepoint exists through which all routing traffic passes. APNIC's chief scientist described it in January as a tragedy of the commons: each operator's self-interest becomes a cost borne by everyone else.
The White House has tried to manufacture a chokepoint through regulation, proposing that federal contractors and broadband grant recipients adopt routing security measures. The FCC followed with a proposed rulemaking requiring large providers to develop security risk management plans. These are attempts to create through policy what Chrome provided through market gravity. Regulatory mandates produce compliance timelines. They lack the immediate personal consequences that moved website operators. Nobody's traffic drops overnight because they missed a federal comment period.
Whether regulation can substitute for a market chokepoint remains genuinely open. The HTTPS transition, looked at closely, reveals how narrow its own conditions were. The web got its upgrade through a coincidence of concentrated power: the right actors, controlling the right bottleneck, at the right moment. For the parts of the internet where no single actor holds that kind of leverage, it's worth asking whether any other path to adoption exists at all.