SecurityBaseline.eu

aequitas

Today we launch SecurityBaseline: monitoring 67.000 governments and 200.000 sites. Headlines: 3.000 governmental sites use tracking cookies illegally, over 1.000 database management interfaces are publicly reachable, 99% of governmental email is poorly encrypted.

zihotki

That's a wonderful initiative! I wanted first to complain about Dutch municipalities but looking at the foundation, I see fellow dutch- and belgian-men are already focusing on them!

oliviergg

seems a good idea, but currently down.

lccerina

Honestly surprised that Italian municipalities are doing relatively well compared to other countries. Maybe it helped a push from the government to have a shared design for municipal websites ( https://github.com/orgs/italia/repositories?q=comuni )

Neil44

To be fair it's pretty much the norm with shared and even vps hosting that your cpanel etc will be publicly accessible. Only people who hand-roll their setups will have things firewalled down etc. And if it's a website promoting a local tree planting initiative or whatever is it really a good use of budget to get everything hardened so much.

jillesvangurp

Interesting data set. Would be interesting to repeat the same for SMEs. In my experience, Germany is pretty hopelessly behind on everything except GDPR enforcement. They are kings of that. Must have a cookie screen, apparently. That's why they score so good on that and not much else. When the GDPR became active eight or so years ago, we got a few GDPR related requests to our service. Basically strongly worded requests to remove their data and account, which we of course honored. All of these came from Germany. Nobody else really cared. But it was kind of curious quickly that happened. What was interesting is that we had zero such requests before that law came into power. And it's not like we were misbehaving or would have denied such a request. This was more a matter of principle: "I now finally have the right to ask this, so I'm going to." Germany is a big reason GDPR got so complicated and why, hopefully soon, it will be updated to not be fixated on just cookies so much. It never really was about the cookies but about data handling and sharing. Any mobile app you install might track you without setting cookies and you can't install an ad blocker in those either. That's why Google loves apps so much. You don't actually need cookies for those. There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app). But sharing personal data with a third party provider is still problematic under GDPR. If you read the actual law, it barely mention cookies at all. The "must have consent screen for cookies" is just the common (mis)-interpretation for laymen; because it's the most visible impact that this has had on them. When it comes to date removal and other requests, it's less about features you have and more about processes you use for complying with legal requests. That can be a person answering emails and doing things manually. Doesn't scale if you get a lot of requests but it would be fine legally.

debesyla

Is there a list of these "goverment" sites anywhere? I have been working on similar project, focusing on lithuanian-only "goverment" sites, but it's not perfectly obvious how to recognise public vs private websites, as at least half of those are managed privatelly, used publically. (Mostly due that was cheaper and/or because lack of requirements and/or other weird situations.) But yeah, I can confirm that stats are same-ish in Lithuanian web too. I just havent finished gathering data yet, it will take a while.

vin10

There should be a metric for sites hosting malicious content! https[:]//erasmus-plus.ec.europa.eu/sites/default/files/2026-05/mortal-kombat-2-cs.pdf

lionkor

Might this be because any kind of genuine pentesting, unless it's explicitly been paid for, is highly illegal in countries like Germany (§ 202c StGB, § 202a StGB, etc.)? For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with a non-standard browser couldn't somehow already be misconstrued as breaking various hacking laws. No thanks! Keep your security vulnerabilities.

cryo32

Perhaps surprisingly, we already do this in the UK. Public-facing side of the security services are all over it.

rickdeckard

Great work. It's fun how these graphs indirectly hint at a cross-section of "e-Gov"/"tech-literacy in politics" per country with those incident-tables. 1. Countries with strong e-government and HIGH understanding of its requirements rank LOW (good!) 2. Countries with evolving e-government practices and LOW understanding of the implications rank HIGH (bad!) 3. Countries FAR BEHIND in e-government practices rank LOW (...good?) Goes to show that globally we need more tech-literate people on the forefront of politics, so that the proper priorities are also set in execution...

CalRobert

Cool stuff but odd that Ireland has results for all but 3 counties and one of the ones missing data is Co Dublin...

nubinetwork

Can we start using a comma as a thousands separator instead of a period?

cs02rm0

I hate consent banners more than tracking cookies.

xlii

I checked Warsaw, Poland. It has 3 HIGH RISK issues because - DNSSEC is not configured - Few cookies are send and (ALERT!) Google marketing cookie - Missing ROA The thing though is that this is purely informational website (that's defunct under Safari :D) and all actual interaction goes through specialized portal (e.g. gov.pl, for which only complain is cipher order). I get it, it's aggregator but showing red maps is at leals sensationalists Seems that results are taken from internet.nl, which has WAY better UI than page posted. https://batch.internet.nl/site/um.warszawa.pl/17768032/#

elric

Colouring an area red because they don't have DNSSEC enabled on a domain seems excessive. A nice addition would be to add who is hosting their email. First handful I've looked at are all outlook.com, which seems a much bigger privacy & security risk than not using DNSSEC.

Aerroon

> 3.081 European government sites place tracking cookies without consent. GDPR was adopted more than a decade ago and our governments still can't do it right, yet they expect everyone else to get it right. Amazing regulation.

nodar86

At least for Hungary most of these are totally random websites with no connection to the government at all. 4/4 of the "region" websites are very random and all "district" sites seem to be pointing to a single decomissioned/archived site. The other lists I only spot-checked but they contain a mix of government sites and local news sites. I don't see how such thing could go out in the public calling out government security when they didn't do the bare minimum of checking if the sites they "monitor" are truly governmental sites.

abbe98

Are state agencies included for any country? This seems to only include government agencies with their own administrative divisions?