European governments: 3.000 tracking sites, 1.000 phpMyAdmins, and 99% poorly

117

aaequitas about 2 hours ago 43 commentsRead Article on internetcleanup.foundation

DE version is available. Content is displayed in original English for accuracy.

⚡ Community Insights

Discussion Sentiment

75% Positive

Analyzed from 1714 words in the discussion.

Discussion (43 Comments)Read Original on HackerNews

lionkor•about 1 hour ago

Might this be because any kind of genuine pentesting, unless it's explicitly been paid for, is highly illegal in countries like Germany (§ 202c StGB, § 202a StGB, etc.)?

For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with a non-standard browser couldn't somehow already be misconstrued as breaking various hacking laws. No thanks! Keep your security vulnerabilities.

zelphirkalt•about 1 hour ago

In Germany we have the completely wrong mindset for such things. Instead of being grateful, all we care about is "whose fault is it" and CYA tactics. And no one wants to be "guilty" or have their incompetence revealed, so suits will do anything they can to avoid that. Somethings serious needs to go wrong first, so that loss of face already happens, before anyone will move. Maybe we need to get hacked by Russia a few more times.

CalRobert•about 1 hour ago

How is the home of chaos computer club so bad at this....

rf15•about 1 hour ago

It is only this degree of malice and incompetence that can give rise to something like the CCC.

fossislife•22 minutes ago

As a German I fear the only way I can see one of our government agencies to react upon an external pentesting report is if you threatened to release data from it anyway (this is not a recommendation, please don't raid my home). I just do not see them fixing even a dangerous bug if a stranger came along and told them to.

tetha•30 minutes ago

Yeah.

And I do think that security research should have some regulation about it, but it should be more about responsible handling of the privileged access you gained, or a responsibility to disclose found vulnerabilities in private and/or to a government entity. You know, "If you have gained access to a system, and you saw a button <Turn off cooling pump 2> and you pressed it, you are on the hook for the damages". That is common practice with paid pentesters already.

But we're at a point where a court had do decide if discovering an endpoint on an API without authorization is a "circumvention of a security boundary" or not. Luckily, we now have a ruling that accessing API endpoints without authorization logic is no circumvention of a security boundary, due to a lack of a security boundary like authorization.

That's the level we are at. I don't want to know what happens if foreign nation state actors start acting on this seriously.

sigmoid10•about 1 hour ago

To be fair, most of this stuff could be found with any normal browser. You don't even need browser dev tools. But if you write a simple script to automate any of this... yeah. They can totally get you for doing that. Probably one or the best examples why politicians should not be allowed to pass technical laws they fundamentally can't grasp.

lionkor•about 1 hour ago

Visiting an admin page is fine, yeah, but even just trying a default password, or having specific cookies set in the browser that look like an attempt to gain access, already clearly violate § 202a and you could be prosecuted, from how I read that law's text.

And while URL obscurity alone is weak evidence of "special protection" of a resource, I'm sure some legal team would love to try to argue otherwise.

aequitas•about 2 hours ago

Today we launch SecurityBaseline: monitoring 67.000 governments and 200.000 sites.

Headlines: 3.000 governmental sites use tracking cookies illegally, over 1.000 database management interfaces are publicly reachable, 99% of governmental email is poorly encrypted.

repelsteeltje•about 2 hours ago

Maybe post this as Show HN? And adjust headline to fit max chars.

aequitas•about 2 hours ago

Thanks, will do that.

gbkgbk8•about 1 hour ago

yes

0123456789ABCDE•42 minutes ago

Q: would you mark google.com with any "high risk" findings?

there are quite a few like this, that on close inspection, are just fine

rickdeckard•about 1 hour ago

Great work. It's fun how these graphs indirectly hint at a cross-section of "e-Gov"/"tech-literacy in politics" per country with those incident-tables.

1. Countries with strong e-government and HIGH understanding of its requirements rank LOW (good!)

2. Countries with evolving e-government practices and LOW understanding of the implications rank HIGH (bad!)

3. Countries FAR BEHIND in e-government practices rank LOW (...good?)

Goes to show that globally we need more tech-literate people on the forefront of politics, so that the proper priorities are also set in execution...

xlii•36 minutes ago

I checked Warsaw, Poland.

It has 3 HIGH RISK issues because

    - DNSSEC is not configured
    - Few cookies are send and (ALERT!) Google marketing cookie
    - Missing ROA

The thing though is that this is purely informational website (that's defunct under Safari :D) and all actual interaction goes through specialized portal (e.g. gov.pl, for which only complain is cipher order).

I get it, it's aggregator but showing red maps is at leals sensationalists

Seems that results are taken from internet.nl, which has WAY better UI than page posted.

https://batch.internet.nl/site/um.warszawa.pl/17768032/#

vin10•about 1 hour ago

There should be a metric for sites hosting malicious content!

https[:]//erasmus-plus.ec.europa.eu/sites/default/files/2026-05/mortal-kombat-2-cs.pdf

SyneRyder•about 1 hour ago

Might be worth enclosing that URL in quotes or using [dot] in the URL instead, so people don't accidentally click on that "mortal-kombat-2-cs.pdf" file that Europa.EU is hosting.

VirusTotal claims the PDF file is clean, but I don't think I'd fully trust it anyway. If you do find malicious content, could be worth submitting the URLs to VirusTotal so that the domain is flagged by browsers (eg Google SafeBrowsing) and people can't accidentally visit ec.europa.eu domains until it has been cleaned.

Foivos•37 minutes ago

The domain is legitimate though.

debesyla•about 1 hour ago

Is there a list of these "goverment" sites anywhere?

I have been working on similar project, focusing on lithuanian-only "goverment" sites, but it's not perfectly obvious how to recognise public vs private websites, as at least half of those are managed privatelly, used publically. (Mostly due that was cheaper and/or because lack of requirements and/or other weird situations.)

But yeah, I can confirm that stats are same-ish in Lithuanian web too. I just havent finished gathering data yet, it will take a while.

Stitch4223•about 1 hour ago

What we have is published on https://securitybaseline.eu/datasets openly. Some governments publish lists, and they will be incomplete. In the article we point to our most successful approach: sifting through the (partial) zone file with domain owner information. That delivered thousands of sites the Dutch government didn't even know about.

Perhaps a freedom of information request might also work, but that will take a lot of time to write correctly and does not scale across all governments.

CalRobert•about 1 hour ago

Cool stuff but odd that Ireland has results for all but 3 counties and one of the ones missing data is Co Dublin...

jamesdelaneyie•26 minutes ago

Could be that you have four councils: Dublin City Council, Dun Laoghaire/Rathdown, South Dublin, and Fingal

Stitch4223•43 minutes ago

I've added it to the backlog. We're also missing several other regions, but Ireland is the most obvious.

zihotki•about 2 hours ago

That's a wonderful initiative! I wanted first to complain about Dutch municipalities but looking at the foundation, I see fellow dutch- and belgian-men are already focusing on them!

Neil44•about 1 hour ago

To be fair it's pretty much the norm with shared and even vps hosting that your cpanel etc will be publicly accessible. Only people who hand-roll their setups will have things firewalled down etc. And if it's a website promoting a local tree planting initiative or whatever is it really a good use of budget to get everything hardened so much.

onion2k•about 1 hour ago

And if it's a website promoting a local tree planting initiative or whatever is it really a good use of budget to get everything hardened so much.

Given the fact lots of sites like that have Wordpress 'databases' of form submissions full of people's personal data, absolutely definitely emphatically yes.

cryo32•about 1 hour ago

Perhaps surprisingly, we already do this in the UK. Public-facing side of the security services are all over it.

nubinetwork•43 minutes ago

Can we start using a comma as a thousands separator instead of a period?

reddalo•25 minutes ago

Period is the thousands separator and comma is the decimal separator in almost all European countries.

Stitch4223•14 minutes ago

We checked this before going live and came to the same conclusion. We also discovered that the official languages of the EU are all 24 languages, but we chose to write the post in English and not AI-translate it.

usrnm•41 minutes ago

In most (all?) European countries comma is the decimal separator

usui•24 minutes ago

I skimmed https://wikipedia.org/wiki/Decimal_separator but still don't understand. Why does this difference exist? Also, why did the conflict eventually settle into something between full stops and commas? What stopped other symbols from continued usage like bars or underscores?

It seems weird that a system would eventually settle on restricting itself to just full stops and commas, yet not settle the debate on where to put full stops and commas. Like if your system is going to converge strongly on two symbols, finish the job!

veltas•21 minutes ago

Not in e.g. UK.

reddalo•1 minute ago

The UK is sadly not in the European Union and it wasn't included in this study.

lofaszvanitt•25 minutes ago

Oh no way. First, replace fahrenheit to celsius, then miles to kms and we are all set to a nice, unified future.

tactlesscamel•4 minutes ago

I much prefer a 60mi commute to a 96km commute. It is less depressing.

nubinetwork•20 minutes ago

No complaints there, I don't get why the UK uses miles and Celsius...

jillesvangurp•about 1 hour ago

Interesting data set. Would be interesting to repeat the same for SMEs. In my experience, Germany is pretty hopelessly behind on everything except GDPR enforcement. They are kings of that. Must have a cookie screen, apparently. That's why they score so good on that and not much else.

When the GDPR became active eight or so years ago, we got a few GDPR related requests to our service. Basically strongly worded requests to remove their data and account, which we of course honored. All of these came from Germany. Nobody else really cared. But it was kind of curious quickly that happened. What was interesting is that we had zero such requests before that law came into power. And it's not like we were misbehaving or would have denied such a request. This was more a matter of principle: "I now finally have the right to ask this, so I'm going to."

Germany is a big reason GDPR got so complicated and why, hopefully soon, it will be updated to not be fixated on just cookies so much. It never really was about the cookies but about data handling and sharing.

Any mobile app you install might track you without setting cookies and you can't install an ad blocker in those either. That's why Google loves apps so much. You don't actually need cookies for those. There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app). But sharing personal data with a third party provider is still problematic under GDPR. If you read the actual law, it barely mention cookies at all. The "must have consent screen for cookies" is just the common (mis)-interpretation for laymen; because it's the most visible impact that this has had on them. When it comes to date removal and other requests, it's less about features you have and more about processes you use for complying with legal requests. That can be a person answering emails and doing things manually. Doesn't scale if you get a lot of requests but it would be fine legally.

ketzu•about 1 hour ago

> Germany is a big reason GDPR got so complicated and why, hopefully soon, it will be updated to not be fixated on just cookies so much.

In what way is GDPR focused on cookies?

In my experience, developers in online discussions make it seem all about cookies, pretending other ways of tracking don't exist, while the law does not. But it has been a while since I looked into it and I might remember that wrong.

> There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app).

A lot of games provide opt-in screens, as they heavily rely on ad networks.

> If you read the actual law, it barely mention cookies at all

Now I am confused, didn't you just say it was focused on cookies?

egorfine•about 1 hour ago

> What was interesting is that we had zero such requests before that law came into power

Because these requests would be 100% ignored. And the law gave people the power they wanted.

I'm mentally and legally far from Germany and I'm not a big supporter of GDPR, but this law is indeed a step in the right direction.

cs02rm0•38 minutes ago

I hate consent banners more than tracking cookies.

lccerina•about 1 hour ago

Honestly surprised that Italian municipalities are doing relatively well compared to other countries. Maybe it helped a push from the government to have a shared design for municipal websites (https://github.com/orgs/italia/repositories?q=comuni)

kome•22 minutes ago

Italians stay winning as usual... :-)

But for real, Italian public administration digitalization isn’t as bad as people think when compared to other big countries. SPID (an electronic identity system, now deprecated) was years ahead of many other European countries (and easily, the US), and PEC (a certified email standard for official communications established in 2005, that can be used with standard email clients) is still more advanced than the often more complicated and closed systems used in many other places. The Italian standard also deeply influenced the EU standard: https://dl.acm.org/doi/fullHtml/10.1145/3560107.3560256

oliviergg•about 2 hours ago

seems a good idea, but currently down.

aequitas•about 1 hour ago

slashdotted, dispite preparations :), working on it