SecurityBaseline.eu

Original Article ↗ Hacker News Discussion ↗

Project launch & scope

  • New initiative “SecurityBaseline” monitors ~67k government entities and ~200k sites across Europe.
  • Headline findings: thousands of government sites set tracking cookies without consent, many public database interfaces, and widespread weak email encryption.
  • Some suggest reposting as a “Show HN” and adjusting messaging to be less sensationalist.

Data accuracy & classification issues

  • Misattribution example: municipal sites hosted on sites.google.com led to incorrectly attributing google.com to those governments; maintainers say this has been corrected.
  • Some country-level lists (e.g., Hungary, Dublin region) appear to mix non‑government sites or miss key regions, raising questions about how “government” domains are identified.
  • Dataset sources include zone files and owner info; FOI requests are mentioned as possible but slow.

Severity, metrics, and presentation

  • Several argue the site overstates risk (e.g., coloring regions red) for issues like missing DNSSEC, ROA, or basic tracking cookies on informational sites.
  • Others counter that even “small” sites often hold personal data (e.g., form submissions), so hardening is justified.
  • Criticism that focusing on cookie banners and DNSSEC can distract from more impactful risks, such as outsourcing email to large foreign providers.

DNSSEC debate

  • Some see lack of DNSSEC as serious and defend highlighting it.
  • Others assert DNSSEC is often harmful, prone to self‑DoS, and should not be incentivized; recent outages are cited.

GDPR, cookies, and consent

  • Discussion that GDPR itself is not cookie‑focused, but public and some tools overemphasize cookie consent.
  • Mixed views on enforcement: some see Germany as strict on GDPR, others point to blatant violations (e.g., “pay with privacy” walls).
  • Annoyance with consent banners is common; browser extensions are suggested as mitigations.

Security culture & legal environment

  • Comments note that in places like Germany, pentesting without explicit authorization is legally risky, discouraging independent research.
  • Some describe institutional defensiveness and fear of blame; others mention official disclosure channels (e.g., national CERT/BSI forms) as a workable route.

Miscellaneous

  • Reports of the site being down due to traffic.
  • Minor complaints about HTML language tags, number formatting (comma vs period), and UI compared to underlying tools.