The fix to HTTPS isn't simple. For the site visitor faced with a malfunctioning browser, the fix is to stop using Chrome or Firefox, I guess. Which might happen. For the website owner it involves either paying for a certificate and jumping through all kinds of technical hoops installing it, or else using Lets Encrypt, in which case you will be renewing the damn thing over and over like crazy. Forget, and your site goes down. Neither is a good solution.
If MITM attacks by ISPs are taking place in the wild, show me documented proof of them. And, not just a single example. As with magnet motors the number of CLAIMS to this effect prove nothing. Show me the STATS that prove this is COMMONPLACE and I'll believe you.
(I've issued this challenge before on a number of IT-related sites and no-one has so far been able to do so)
The elephant in the room here, which I've mentioned time and time again, is that
you don't have to have mixed content on a page any more for it to be insecure. Before this nonsense started, a hacker would have had to convince a certificate issuer to issue a cert for 'ebsy.com' or 'amaxon.com' to make it look secure, and likely the issuer would have refused. So, if you'd made a typo on visiting a site where you were going to buy something, then you'd likely notice the lack of a padlock, and stop. Now, the hacker can use LE to create a spoof site in minutes that looks for all the world like a genuine secure site.
Is that a good situation? HELL, NO! That's even before we start to consider that advertisers can use LE, and if the site is a third party this situation won't show in the security info AT ALL. So, you can't even tell that javascript on the page (which could be a keylogger) is coming from an UNCERTIFIED source. The demo on my site shows this in action. A keylogger on a third party domain using LE is able to read passwords typed into the main page without the browser showing any warning.
The point I'm making here is that we are implementing security against a low level and largely unproven threat at the expense of blowing away the security where security matters. Those who can't see this, need to get their heads out of their *******.