Apple's move to encrypt your iPhone and WhatsApp's rollout of end-to-end encrypted messaging have generated plenty of privacy applause and law enforcement controversy. But more quietly, a small non-profit project has enacted a plan to encrypt the entire global web. And it's working.

Earlier this week, the San Francisco-based Internet Security Research Group (ISRG) announced that the initiative it calls Let's Encrypt is coming out of beta—and that it's making serious headway toward helping tens of millions of unencrypted sites around the world switch from the insecure web standard HTTP to HTTPS, which encrypts your web browsing to protect it from surveillance. Without that layer of encryption, a regular HTTP connection can be intercepted and read by anyone between a web visitor's browser and the site he or she is visiting—whether a hacker on the same Wi-Fi network, an internet service provider, or a government agency. Since launching less than six months ago, Let's Encrypt has helped 3.8 million websites switch to HTTPS encryption, taking a significant chunk out of the unprotected web data that's available to those eavesdroppers.

"Frankly it's irresponsible how much of our information goes flying around the web in the clear. Anyone can just pull it down and read it. That's not what people should expect from such an important network today," says Josh Aas, the founder of the Internet Security Research Group, who officially works for Mozilla but runs Let's Encrypt for ISRG. "We want to feel that when we're using [the web] we have privacy…Our goal is to get to one hundred percent encryption."

Let's Encrypt has tried to make it easier for websites to switch from HTTP to HTTPS by flattening one of the biggest hurdles in the process: certificates. Let's Encrypt functions as a certificate authority, one of the dozen or so organizations like Comodo, Symantec, Godaddy and Globalsign that verify that servers running HTTPS web sites are who they claim to be. (A carefully-secured web connection isn't much good if you're sending private data to a spoofed site.) Once verified, these authorities issue those computers a "certificate" they need to make their HTTPS encryption work with your browser. The certificate is designed to be an unforgeable signature that's cryptographically checked by your browser so that you can be sure your communications are decrypted only by the intended site and not an impostor.

Unlike commercial certificate authorities, however, Let's Encrypt is free, thanks to corporation sponsorship from companies including Cisco, Google and Akamai. It's available to websites anywhere in the world—even far-flung countries like Cuba and Iran that sometimes aren't served by other major certificate authorities. And it's automatically configured with a piece of code that runs on any server that wants to switch on HTTPS. "This is the silver bullet that…lowers the barrier to encrypted web communications," says Ross Schulman, the co-director of the cybersecurity initiative at the New America Foundation. "It brings the cost of executing a secure website down to zero."