Try sending a link at your obscure dot com domain to a large group chat. Now try hosting the same material on a well known corporation's website. I'm certain that a lot more people are going to be visiting the corporate hosted URL. Why? Perceived security. People are terrified of personal websites because of the reasoning I gave above. Automatic powerful javascript execution has killed casual web surfing. Now opening a website URL is like running an application rather than reading a document.
As for the friction on the hosting side, the problem mostly has to due with keeping websites up, not setting them up. The short lifespan and fragility of the required CA TLS means any HTTPS only (because JS auto-exec) site will only survive for a few years without active human mantainence. Weather the acme(2) tool breaks, an LE root cert expires (like what happened this summer), acme version depreceates, host OS openssl version doesn't have cross support for required modern cyphers, or something in the 90 day cert lease cycle just breaks because it's so complex with so many things moving. CA TLS sites die. HTTP sites can last forever without being touched. HTTP+HTTPS should be the way, but with the security required for an auto-executing JS browser no one wants to risk HTTP. I've literally had people balk at loading a http://example.com/image.jpg because it was HTTP. The fear is not rationally evaluated on a case by case basis, it's just all security all the time no matter what habit now.
As for the friction on the hosting side, the problem mostly has to due with keeping websites up, not setting them up. The short lifespan and fragility of the required CA TLS means any HTTPS only (because JS auto-exec) site will only survive for a few years without active human mantainence. Weather the acme(2) tool breaks, an LE root cert expires (like what happened this summer), acme version depreceates, host OS openssl version doesn't have cross support for required modern cyphers, or something in the 90 day cert lease cycle just breaks because it's so complex with so many things moving. CA TLS sites die. HTTP sites can last forever without being touched. HTTP+HTTPS should be the way, but with the security required for an auto-executing JS browser no one wants to risk HTTP. I've literally had people balk at loading a http://example.com/image.jpg because it was HTTP. The fear is not rationally evaluated on a case by case basis, it's just all security all the time no matter what habit now.