Hacker News new | ask | show | jobs
by aequitas 36 days ago
Today we launch SecurityBaseline: monitoring 67.000 governments and 200.000 sites.

Headlines: 3.000 governmental sites use tracking cookies illegally, over 1.000 database management interfaces are publicly reachable, 99% of governmental email is poorly encrypted.
4 comments
SyneRyder 36 days ago
Tiny request that you probably can't do anything about - but despite this page being in English, the HTML is incorrectly reporting it as lang="nl-NL" in the first line of the source. There's a few other hreflang="nl" floating around pointing to English pages as well.

(Only noticed because I have a tiny indie search engine that can only index English right now, and the "nl-NL" is causing the page to be misclassified.)

Weird niche bug report aside though - love to see this project, congratulations for working on this. I think it's a great idea.

I'd personally love to see a closer look on government sites that drop cookies before the consent banner has asked permission to do so. I'm not worried about cookies, but if we're going to ignore the consent banner anyway, why waste everyone's time with asking in the first place.

link
repelsteeltje 36 days ago
Maybe post this as Show HN? And adjust headline to fit max chars.
link
aequitas 36 days ago
Thanks, will do that.
link
gbkgbk8 36 days ago
yes
link
bombcar 36 days ago
> 3.000 governmental sites use tracking cookies illegally

In the USA the government often excludes itself from privacy and other similar laws, did the EU fail to make that distinction?

link
0123456789ABCDE 36 days ago
Q: would you mark google.com with any "high risk" findings?

there are quite a few like this, that on close inspection, are just fine

link
Stitch4223 36 days ago
I see some 25 French municipal sites are on "sites.google.com". By default we also import and attribute the main domain google.com to those organizations. That is usually correct, but obviously wrong in this case.

The data was removed, and tomorrow's reports will reflect that.

link
0123456789ABCDE 36 days ago
the question is: if `https://www.google.com` were to be included in this analysis, would you expect to see any "high risk" findings?

and the reason i ask is that some of the findings, i have seen, would apply to google.com, yet no one would consider them "high risk", so why do this to other services?

this effort would be better served by raising attention to truly important issues, or defects, than to try to identify as many problems as possible, and for lack of a better word, presenting the results in a away that's unnecessarily dramatic

link