@feld @RandomDamage weak ciphers do not necessarily mean computationally cheap ciphers… but that’s less relevant.
Way back when I used to work at an ISP, we’d have people with colo servers running on single-core pentium chips. Most connections were high-latency, low bandwidth 56K dualup. If a normal page took 3-10 seconds to load due to slow bandwidth, the same page over SSL might take 15-20 due to the number of extra round trips required to negotiate the session over a 100-300ms connection. Add a 333 mhz clock on the server (and a 100-200mhz clock on the client) and you did get a noticeable performance hit.
It was enough that people who needed ssl would buy dedicated SSL-offload hardware just to handle the compute, and hope the rtt was low enough that they didn’t lose customers.
So yeah, certificate costs were also stupid high, but the compute and bandwidth impact of SSL back in the day was not trivial, and hindered adoption on its own.