The Washington PostDemocracy Dies in Darkness

Only a third of federal sites protect your Web traffic from prying eyes. That’s about to change.

The White House (MANDEL NGAN/AFP/Getty Images)

The White House just took a big step toward making government Web sites more secure for visitors. On Monday, the Office of Management and Budget issued a directive that requires all publicly accessible federal Web sites and services to adopt encryption using HTTPS.

The "S" in HTTPS stands for secure. It basically creates a sort of protected tunnel between a visitor and Web site that keeps data safe from the prying eyes of Internet Service Providers, employers, or even nefarious hackers hanging out on the same coffee shop Wi-Fi as a Web visitor. It's often represented by a little lock in the Web address bar of your browser.

Without it, a visitor's privacy and security can be compromised. "Unencrypted HTTP connections create a vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services," said White House Chief Information Officer Tony Scott in a blog post about the new standard. "This data can include browser identity, website content, search terms, and other user-submitted information."

The new standard will require federal Web sites to complete the switch by Dec. 31, 2016. It was first proposed by OMB in March.

While the move to HTTPS everywhere on federal sites will provide a new baseline of privacy and security to people who visit them, it won't solve some of the government's other cybersecurity problems. Last week, the Office of Personnel Management disclosed it suffered a major breach that may have exposed data about 4 million former and current government workers. Adopting HTTPS would not have prevented that hack.

The transition is already in progress, with the government rolling out HTTPS to more and more Web sites -- the Federal Trade Commission, for example, started automatically using the protection for many of its sites in March.

But because each agency is largely in control of their own information technology decisions, many other agencies still haven't put HTTPS in place. Right now 31 percent of federal Web domains currently use HTTPS, according to a government Web site set up to monitor progress on the shift.

The technology has been widely used in the private sector for years, where it helps secure the services of major tech companies including Google as well as things like online banking. But at times, even the most sensitive of government Web sites have failed to use HTTPS. Federal sites designed to help find services for people with AIDS left a lot of personal information exposed for years because those sites, the Post's Craig Timberg reported in 2014.