I propose setting $wgEnableCanonicalServerLink = true everywhere, and setting $wgCanonicalServer to HTTPS on all servers except Chinese language wikis.
We did this with uz.wikipedia.org, and so we know with some confidence that it will cause Google to provide links directly to the https website. This will cause most of our traffic to go to HTTPS.
I'm filing this to create a place for discussion, rather than as an immediate action item. Before this can be done, the SSL cluster would have to be expanded significantly, assuming Ganglia capacity data is correct -- maybe by a factor of 10. It may be simplest to wait until HTTPS is sent directly to Varnish, but even then, some proper capacity calculations would be in order.
This would be an alternative to T50402: rel=canonical of https pages should point to http and a significant step towards T49832: Force all Wikimedia cluster traffic to be over SSL for all users (logged-in and anon).