Honestly I'd like to see one of the webmail providers do a decent attempt at gpg. The web migrated from a primarily unencrypted state to an encrypted one - it's not impossible with the right UX.
This is never going to happen because it doesn’t work very well for consumers, and works even less well for businesses.
For consumers, owning the encryption keys means account recovery is impossible when they inevitably lose their keys. IM services can get away with it, because losing your IM history is not nearly as serious as losing your inbox.
For businesses, you’re not going to be able to sell a service that makes filtering impossible. This is bad for consumers too, but an absolute deal breaker for most businesses.
... including spam filtering, which matters somewhat for consumers, too.
Then there's the issue of search - with webmail you have no realistic choice but to rely on server-side search, and the same issue likely applies on phones even when using a dedicated mail app. (And indeed ProtonMail currently only offers meta-data search, but no full text body search)
I didn’t specifically say spam filtering, because there’s technically lots of spam filtering you can do with only metadata. But yeah you’re right, any form of server side content filtering (including search) would be impossible.
The web is _partly_ encrypted in transit. To the point where it hits the closest cloudflare (or other edge) server. From then on it's often unencrypted the rest of the way to the real webserver.
Yes, it would be possible to encrypt email too but it would involve changing every email client and server there is, and there are quite a few of them. And a public key repository for everyone to be able to find the correct key for each receiving adress. Mailing list servers and other group mail would be particularly fun to solve.
Given that you mentioned CloudFlare, they actually encourage using Full SSL (Strict), which requires a valid certificate from the origin server to the edge server. You can also get them to issue an SSL cert for you if you don't want to deal with that yourself. It expires in 10 years by default, but can be revoked easily in case of key compromise.
For consumers, owning the encryption keys means account recovery is impossible when they inevitably lose their keys. IM services can get away with it, because losing your IM history is not nearly as serious as losing your inbox.
For businesses, you’re not going to be able to sell a service that makes filtering impossible. This is bad for consumers too, but an absolute deal breaker for most businesses.