On May 13, 2026, the website SecurityBaseline.eu was launched. It is a spin-off from the Dutch "Basisbeveiliging", which has monitored baseline security for over a decade and is part of governmental policy. Three months ago we sent tens of thousands of e-mails to European governments indicating the new site would launch, giving them time to [...]
  • huppakee@piefed.socialEnglish
    0·
    4 days ago

    Thanks for sharing, great article. Copied and pasted some bits below:

    (…) Metrics are gathered day and night over all 200.000 internet domains, accross the massive total of 67.000 local governments. Nearly 200.000 seems like a high number, but in fact it is very low.

    In reality, the true number of government domains is tenfold but finding those requires a lot of effort. We mostly are missing ‘project’ domains, targeted at tourism, housing, infrastructure, festivals, and anything else the government produces. Some governments, like the Netherlands, have multiple official registries for governmental websites. Yet our Dutch initiative has found thousands of additional domains missing from those registries.

    Later in the article they share the 3 most worrying metrics:

    3.081 European government sites place tracking cookies without consent. (…)

    YouTube is the biggest source of tracking cookies, with 2077 cookies placed in total. Google Ads(!) follows with 842 tracking cookies. This might be a side effect of misconfiguration of Google Analytics, which should also not be used; however, that is measured in another metric not mentioned in this article. Then we see 293 Facebook cookies, probably for website analytics as well. Last but not least, we see 20 TikTok cookies.

    We found a total of 1.070 phpMyAdmin portals on 3.529 different domains. Many domains share the same panel; they share the same service provider for example. phpMyAdmin is an open-source tool, yet we found no financial contributions from European governments to this software project. This means they are depending on software, yet are not willing or mandated to pay for it; we see this as an unwillingness to invest in their own online security. We urge governments to pay for open source for their own sake.

    Two of these panels are present at addresses of Computer Security Incident Response Teams, which is a double offense. It might require some trickery to see these addresses in the browser.

    Last but not least, the most shocking discovery of our research: the encryption quality of e-mail to European governments is poor. And not just any form of poor: as 99% does not follow up-to-date security practices. Only the Netherlands and Denmark show somewhat promising numbers.

    • lath@piefed.socialEnglish
      0·
      4 days ago

      Security practices won’t improve any time soon because governments work on a budget and generally have a mandate of reducing costs. Any issue which costs to solve is an issue for the next government.