The Electronic Frontier Foundation, Mozilla, Cisco, Akamai, and other organizations have teamed up to create the infrastructure and tools necessary to help websites offer more secure and private browsing to their visitors.

The group plans to establish a non-profit organization, Let’s Encrypt, that will freely offer digital certificates and open-source tools for configuring and offering the secure Web functionality known as Secure HTTP (HTTPS). While offering free digital certificates is certainly enticing, creating the tools to easily manage the certificate process and set up Web servers to properly handle HTTPS is the most important part of the effort, Peter Eckersley, technology projects director for the EFF, told Ars.

“The unfortunate truth is that there are a lot of obscure and head-spinning technical details that need to be gotten right for a top-notch HTTPS deployment,” he said. “With Let’s Encrypt, we are going to automate as much of that as we possibly can.”

Browser makers and technology firms have increasingly focused on improving the encryption and privacy of communications on the Web. Google, for example, has turned HTTPS on by default, uses whether a site offers HTTPS as a positive signal for search ranking, and has started displaying error messages for sites that use older encryption standards for their certificates.

While the revelations of widespread data collection by a variety of national governments, including the United States’ National Security Agency, have added impetus to such efforts, privacy advocates and Internet infrastructure experts have called for websites and users to encrypt their communications for many years. In 2012, for example, the release of a tool for sniffing HTTP sessions and replaying the cookies used for security led to calls for greater usage of HTTPS. In 2009, Mozilla and the EFF released a browser plugin that would automatically use secure HTTP on sites that offered it, even if the website did not default to HTTPS.

Lets Encrypt aims to remove the technical and financial hurdles for website administrators that continue to balk at offering secure HTTP for every site visitor. Even technically savvy workers who frequently manage websites have trouble configuring their servers to properly serve secure HTTP, Eckersley said.

“In our testing, when we ask smart people who know Web sites to turn on HTTPS, they come back an hour later and say, ‘I think I did it,’” he said. “We should be able to reduce that hour to 20 or 30 seconds and make sure that the certificate is renewed every year.”

The Let’s Encrypt certificate authority will be managed by the Internet Security Research Group, a public-benefit corporation based in California, according to the EFF’s statement.

The effort could result in lowering the security of the certificate infrastructure, since attackers will continue the current trend of focusing more heavily on breaking and suborning digital certificates and code-signing signatures, Kevin Bocek, vice president of security strategy and threat intelligence at certificate-management firm Venafi, said in a statement sent to Ars.

“More certificates means more opportunity for misuse by cyber criminals to spoof sites, using man-in-the-middle (attacks) to read encrypted data and transfer data over encryption sessions,” he said. “All of this undermines critical security controls—from strong authentication to threat detection to privileged access systems.”