SecurityBaseline.eu - Hacker News

Posted by aequitas 3 hours ago

SecurityBaseline.eu(internetcleanup.foundation)

163 points | 76 comments

lionkor 2 hours ago|

Might this be because any kind of genuine pentesting, unless it's explicitly been paid for, is highly illegal in countries like Germany (§ 202c StGB, § 202a StGB, etc.)?

For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with a non-standard browser couldn't somehow already be misconstrued as breaking various hacking laws. No thanks! Keep your security vulnerabilities.

zelphirkalt 2 hours ago||

In Germany we have the completely wrong mindset for such things. Instead of being grateful, all we care about is "whose fault is it" and CYA tactics. And no one wants to be "guilty" or have their incompetence revealed, so suits will do anything they can to avoid that. Somethings serious needs to go wrong first, so that loss of face already happens, before anyone will move. Maybe we need to get hacked by Russia a few more times.

CalRobert 2 hours ago|||

How is the home of chaos computer club so bad at this....

rf15 2 hours ago||

It is only this degree of malice and incompetence that can give rise to something like the CCC.

Kirth 38 minutes ago||

Yeah it does feel like much tech competence that sprouts in Germany is either sequestered off and penned in, and/or leaves the country.

WesolyKubeczek 44 minutes ago|||

You still have quite enough people in high places who are direct or indirect beneficiaries of companies that are either Russian or tied to Russia, so nothing will ever happen even then.

fossislife 1 hour ago|||

As a German I fear the only way I can see one of our government agencies to react upon an external pentesting report is if you threatened to release data from it anyway (this is not a recommendation, please don't raid my home). I just do not see them fixing even a dangerous bug if a stranger came along and told them to.

breisa 31 minutes ago||

Thats far from reality. Just use the online form of BSI for disclosure. They contact the affected party for you. This way you optionally can stay anonymous and the vulnerabilities get fixed because BSI appears as the messenger.

tetha 1 hour ago|||

Yeah.

And I do think that security research should have some regulation about it, but it should be more about responsible handling of the privileged access you gained, or a responsibility to disclose found vulnerabilities in private and/or to a government entity. You know, "If you have gained access to a system, and you saw a button <Turn off cooling pump 2> and you pressed it, you are on the hook for the damages". That is common practice with paid pentesters already.

But we're at a point where a court had do decide if discovering an endpoint on an API without authorization is a "circumvention of a security boundary" or not. Luckily, we now have a ruling that accessing API endpoints without authorization logic is no circumvention of a security boundary, due to a lack of a security boundary like authorization.

That's the level we are at. I don't want to know what happens if foreign nation state actors start acting on this seriously.

jiehong 19 minutes ago|||

It's a good way to ensure that people outside of Germany pentest German sites instead :D

sigmoid10 2 hours ago||

To be fair, most of this stuff could be found with any normal browser. You don't even need browser dev tools. But if you write a simple script to automate any of this... yeah. They can totally get you for doing that. Probably one or the best examples why politicians should not be allowed to pass technical laws they fundamentally can't grasp.

lionkor 2 hours ago||

Visiting an admin page is fine, yeah, but even just trying a default password, or having specific cookies set in the browser that look like an attempt to gain access, already clearly violate § 202a and you could be prosecuted, from how I read that law's text.

And while URL obscurity alone is weak evidence of "special protection" of a resource, I'm sure some legal team would love to try to argue otherwise.

aequitas 3 hours ago||

Today we launch SecurityBaseline: monitoring 67.000 governments and 200.000 sites.

Headlines: 3.000 governmental sites use tracking cookies illegally, over 1.000 database management interfaces are publicly reachable, 99% of governmental email is poorly encrypted.

SyneRyder 20 minutes ago||

Tiny request that you probably can't do anything about - but despite this page being in English, the HTML is incorrectly reporting it as lang="nl-NL" in the first line of the source. There's a few other hreflang="nl" floating around pointing to English pages as well.

(Only noticed because I have a tiny indie search engine that can only index English right now, and the "nl-NL" is causing the page to be misclassified.)

Weird niche bug report aside though - love to see this project, congratulations for working on this. I think it's a great idea.

I'd personally love to see a closer look on government sites that drop cookies before the consent banner has asked permission to do so. I'm not worried about cookies, but if we're going to ignore the consent banner anyway, why waste everyone's time with asking in the first place.

repelsteeltje 3 hours ago|||

Maybe post this as Show HN? And adjust headline to fit max chars.

aequitas 3 hours ago|||

Thanks, will do that.

gbkgbk8 2 hours ago|||

yes

0123456789ABCDE 1 hour ago||

Q: would you mark google.com with any "high risk" findings?

there are quite a few like this, that on close inspection, are just fine

elric 1 hour ago||

Colouring an area red because they don't have DNSSEC enabled on a domain seems excessive.

A nice addition would be to add who is hosting their email. First handful I've looked at are all outlook.com, which seems a much bigger privacy & security risk than not using DNSSEC.

duckmysick 44 minutes ago||

> A nice addition would be to add who is hosting their email.

Something like this? https://livenson.github.io/mxmap/

A few countries have those, here's a Github repo of the Swiss one (has a list of forks in there too): https://github.com/davidhuser/mxmap

Stitch4223 1 hour ago|||

Not making it red would downplay the "SEC" part in DNSSEC.

We already have some privacy metrics in addition to tracking cookies, and there will be more. All are important at the same time.

mirashii 1 minute ago|||

I'd have hoped in 2026 that anyone publishing this type of report would understand that DNSSEC isn't helping anything, and is generally considered to be actively harmful to enable. I'd suggest doing a bit more research and dropping the DNSSEC stuff, or reversing it entirely.

elric 47 minutes ago|||

"Important" according to whom? A tracking cookie is trivial to fix (or to automagically disable for the more tech savvy citizens). Email being hosted by an untrusted foreign corporation is way harder to fix and impossible to bypass as a citizen trying to contact their government.

embedding-shape 58 minutes ago||

[dead]

nodar86 17 minutes ago||

At least for Hungary most of these are totally random websites with no connection to the government at all. 4/4 of the "region" websites are very random and all "district" sites seem to be pointing to a single decomissioned/archived site. The other lists I only spot-checked but they contain a mix of government sites and local news sites.

I don't see how such thing could go out in the public calling out government security when they didn't do the bare minimum of checking if the sites they "monitor" are truly governmental sites.

cryo32 2 hours ago||

Perhaps surprisingly, we already do this in the UK. Public-facing side of the security services are all over it.

blitzar 39 minutes ago|

I get emails from the German Federal Office for Information Security (BSI) via hetzner letting me know if I have db ports open etc.

rickdeckard 2 hours ago||

Great work. It's fun how these graphs indirectly hint at a cross-section of "e-Gov"/"tech-literacy in politics" per country with those incident-tables.

1. Countries with strong e-government and HIGH understanding of its requirements rank LOW (good!)

2. Countries with evolving e-government practices and LOW understanding of the implications rank HIGH (bad!)

3. Countries FAR BEHIND in e-government practices rank LOW (...good?)

Goes to show that globally we need more tech-literate people on the forefront of politics, so that the proper priorities are also set in execution...

vin10 2 hours ago||

There should be a metric for sites hosting malicious content!

https[:]//erasmus-plus.ec.europa.eu/sites/default/files/2026-05/mortal-kombat-2-cs.pdf

SyneRyder 2 hours ago|

Might be worth enclosing that URL in quotes or using [dot] in the URL instead, so people don't accidentally click on that "mortal-kombat-2-cs.pdf" file that Europa.EU is hosting.

VirusTotal claims the PDF file is clean, but I don't think I'd fully trust it anyway. If you do find malicious content, could be worth submitting the URLs to VirusTotal so that the domain is flagged by browsers (eg Google SafeBrowsing) and people can't accidentally visit ec.europa.eu domains until it has been cleaned.

embedding-shape 56 minutes ago|||

> people can't accidentally visit ec.europa.eu domains until it has been cleaned

Just to be safe, couldn't we globally disable BGP and internet transit in general in the meantime? In case someone tries to visit it by other means?

SyneRyder 36 minutes ago||

Oh man, I didn't think of that! You're right, disabling BGP is a better approach.

Although a narrower approach might just be to MITM SSL connections of the general European public. Then you can check if any of those visits are to ec.europa.eu, and either block it outright, or keep a record of people who visited the website. You've already got their IP from the tracking cookies europa.eu drops before asking cookie permission, and you want to make sure you inform them of compromise. It shouldn't be too hard to lookup the citizen's postal address, it's probably in one of those ec.europa.eu databases that was left in a public AWS bucket. [1]

[1] https://www.bleepingcomputer.com/news/security/european-comm...

Foivos 1 hour ago|||

The domain is legitimate though.

debesyla 2 hours ago||

Is there a list of these "goverment" sites anywhere?

I have been working on similar project, focusing on lithuanian-only "goverment" sites, but it's not perfectly obvious how to recognise public vs private websites, as at least half of those are managed privatelly, used publically. (Mostly due that was cheaper and/or because lack of requirements and/or other weird situations.)

But yeah, I can confirm that stats are same-ish in Lithuanian web too. I just havent finished gathering data yet, it will take a while.

Stitch4223 2 hours ago|

What we have is published on https://securitybaseline.eu/datasets openly. Some governments publish lists, and they will be incomplete. In the article we point to our most successful approach: sifting through the (partial) zone file with domain owner information. That delivered thousands of sites the Dutch government didn't even know about.

Perhaps a freedom of information request might also work, but that will take a lot of time to write correctly and does not scale across all governments.

xlii 1 hour ago||

I checked Warsaw, Poland.

It has 3 HIGH RISK issues because

    - DNSSEC is not configured
    - Few cookies are send and (ALERT!) Google marketing cookie
    - Missing ROA

The thing though is that this is purely informational website (that's defunct under Safari :D) and all actual interaction goes through specialized portal (e.g. gov.pl, for which only complain is cipher order).

I get it, it's aggregator but showing red maps is at leals sensationalists

Seems that results are taken from internet.nl, which has WAY better UI than page posted.

https://batch.internet.nl/site/um.warszawa.pl/17768032/#

zihotki 2 hours ago|

That's a wonderful initiative! I wanted first to complain about Dutch municipalities but looking at the foundation, I see fellow dutch- and belgian-men are already focusing on them!

More comments...