惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
人人都是产品经理
人人都是产品经理
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
N
News and Events Feed by Topic
Latest news
Latest news
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
V
V2EX
WordPress大学
WordPress大学
Apple Machine Learning Research
Apple Machine Learning Research
Cisco Talos Blog
Cisco Talos Blog
K
Kaspersky official blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
SegmentFault 最新的问题
小众软件
小众软件
A
Arctic Wolf
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
宝玉的分享
宝玉的分享
Last Week in AI
Last Week in AI
G
GRAHAM CLULEY
罗磊的独立博客
T
Tor Project blog
C
Cisco Blogs
美团技术团队
博客园 - Franky
月光博客
月光博客
博客园 - 三生石上(FineUI控件)
T
Threat Research - Cisco Blogs
Cyberwarzone
Cyberwarzone
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
有赞技术团队
有赞技术团队
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Security Latest
Security Latest
博客园 - 司徒正美
Hugging Face - Blog
Hugging Face - Blog
Spread Privacy
Spread Privacy
J
Java Code Geeks
C
CERT Recently Published Vulnerability Notes
大猫的无限游戏
大猫的无限游戏
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
D
Darknet – Hacking Tools, Hacker News & Cyber Security
阮一峰的网络日志
阮一峰的网络日志
雷峰网
雷峰网
Project Zero
Project Zero

Hacker News: Best

madhadron - The seven programming ur-languages GitHub - smol-machines/smolvm: Tool to build & run portable, lightweight, self-contained virtual machines. I Measured Claude 4.7's New Tokenizer. Here's What It Costs You. Introducing Claude Design by Anthropic Labs It Is Time to Ban the Sale of Precise Geolocation The creative software industry has declared war on Adobe Isaac Asimov: The Last Question Newly unsealed records reveal Amazon’s price-fixing tactics, California attorney general claims Clojure - Documentary Android CLI and skills: Build Android apps 3x faster using any agent Qwen3.6-35B-A3B on my laptop drew me a better pelican than Claude Opus 4.7 Codex for almost everything Introducing Claude Opus 4.7 Qwen Studio The Future of Everything is Lies, I Guess: Where Do We Go From Here? Virginia Bans Sale of Geolocation Data YouTube now lets you turn off Shorts Burgers | マクドナルド公式 ChatGPT for Excel Ask HN: Who is using OpenClaw? Live Nation illegally monopolized ticketing market, jury finds Google Broke Its Promise to Me. Now ICE Has My Data. Open Source Isn't Dead. The Future of Everything is Lies, I Guess: New Jobs Unexpected €54k billing spike in 13 hours: Firebase browser key without API restrictions used for Gemini requests IPv6 – Google Your Backpack Got Worse On Purpose Good sleep, good learning, good life Fixing a 20-year-old bug in Enlightenment E16. Does Gas Town 'steal' usage from users' LLM credits & paid services to improve itself? Tell HN: Fiverr left customer files public and searchable Cybersecurity Looks Like Proof of Work Now Getting the Flock out Release OpenSSL 4.0.0 · openssl/openssl Internet será irrespirable los días de fútbol y otros deportes. Telefónica extiende los bloqueos a Champions, tenis y golf. Automate work with routines - Claude Code Docs The Future of Everything is Lies, I Guess: Work Thousands of rare concert recordings are landing on the Internet Archive — listen now What is jj and why should I care? Backblaze has quietly stopped backing up your data Cal.com Goes Closed Source: Why AI Security Is Forcing Our Decision | Cal.com - Scheduling Software for Online Bookings Codex Hacked a Samsung TV The Future of Everything is Lies, I Guess: Safety GitHub - sterlingcrispin/nothing-ever-happens: Polymarket bot that buys "No" on all non-sports markets. For entertainment only, mostly a meme. Make tmux Pretty and Usable - Ham Vocke Microsoft isn't removing Copilot from Windows 11, it's just renaming it Servo is now available on crates.io - Servo aims to empower developers with a lightweight, high-performance alternative for embedding web technologies in applications. We May Be Living Through the Most Consequential Hundred Days in Cyber History, and Almost Nobody Has Noticed All elementary functions from a single binary operator 奈拜提耶市 Seven countries now generate 100% of their electricity from renewable energy Pro Max 5x Quota Exhausted in 1.5 Hours Despite Moderate Usage Tell HN: docker pull fails in spain due to football cloudflare block Bring Back Idiomatic Design @adlrocha - How the "AI Loser" may end up winning Apple update turns Czech mate for locked-out iPhone user Cache TTL silently regressed from 1h to 5m around early March 2026, causing quota and cost inflation The peril of laziness lost AI Will Be Met With Violence, and Nothing Good Will Come of It Center for Responsible, Decentralized Intelligence at Berkeley The disturbing white paper Red Hat is trying to erase from the internet – OSnews The Future of Everything is Lies, I Guess: Annoyances 447 Terabytes per Square Centimetre at Zero Retention Energy: Non-Volatile Memory at the Atomic Scale on Fluorographane Show HN: Pardonned.com – A searchable database of US Pardons 20 Years on AWS and Never Not My Job Artemis II crew splashes down near San Diego after historic moon mission Molotov Cocktail Is Hurled at Home of Sam Altman, OpenAI’s CEO France to ditch Windows for Linux to reduce reliance on US tech On filing the corners off my MacBooks Installing every* Firefox extension Chimpanzees in Uganda locked in vicious 'civil war', say researchers linux/Documentation/process/coding-assistants.rst at master · torvalds/linux GitHub - callumlocke/json-formatter: Makes JSON easy to read. A compelling title that is cryptic enough to get you to take action on it GitHub - Keychron/Keychron-Keyboards-Hardware-Design: Industrial design files for Keychron keyboards and mice. 100+ models with CAD assets in STEP, DXF, DWG, and PDF. Source-available, with commercial use allowed for original compatible accessories within the license terms. [ANNOUNCE] WireGuardNT v0.11 and WireGuard for Windows v0.6 Released 1D-Chess Helium Is Hard to Replace FBI used iPhone notification data to retrieve deleted Signal messages Microsoft suspends dev accounts for high-profile open source projects Why you can’t trust Privacy & Security Serenity Forge (@serenityforge.com) A new trick brings stability to quantum operations OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters Netflix Prices Went Up Again – I Bought a DVD Player Instead DOJ Wants to Scrap Watergate-Era Rule That Makes Presidential Records Public EFF is Leaving X How NASA built Artemis II’s fault-tolerant computer Meta removes ads for social media addiction litigation How Pizza Tycoon simulated traffic on a 25 MHz CPU Claude mixes up who said what, and that's not OK Reallocating $100/Month Claude Code spend to Zed and OpenRouter Help Keep Thunderbird Alive! Why Are Flock Employees Watching Our Children? The Pentagon Threatened Pope Leo XIV’s Ambassador With the Avignon Papacy Fragments: April 2 Native Instant Space Switching on MacOS Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% God sleeps in the minerals Apple Silicon and Virtual Machines: Beating the 2 VM Limit
European governments: 3.000 tracking sites, 1.000 phpMyAdmins, and 99% poorly encrypted email. Introducing SecurityBaseline.eu
aequitas · 2026-05-13 · via Hacker News: Best

On May 13, 2026, the website SecurityBaseline.eu was launched. It is a spin-off from the Dutch “Basisbeveiliging”, which has monitored baseline security for over a decade and is part of governmental policy. Three months ago we sent tens of thousands of e-mails to European governments indicating the new site would launch, giving them time to review the results and act on them in advance of publication.

This article details what SecurityBaseline monitors, how we visualize risks with maps, and dives into three worrisome metrics:

  1. 3.000 governmental sites use tracking cookies illegally
  2. Over 1.000 database management interfaces are publicly reachable
  3. 99% of governmental email is poorly encrypted

This data makes the web transparent and complies with tried-and-tested publication, measurement, and code-of-conduct policy. We target our findings at governments so they can protect their citizens. They can impose requirements on themselves and on the rest of the country.

Do you value transparency, security, sovereignty, accessibility, and privacy? Then ask us to do research or become a member of the Internet Cleanup Foundation and support our mission to improve the internet. We already monitor over 80,000 organisations and 500,000 addresses and make this information available to everyone. Find out more about membership or contact us.

Background: Over a thousand maps updated daily

Web Security Map, our software which powers Security Baseline, has been in development for over a decade. We believe that transparency is fundamental to a secure internet. Transparency includes being able to understand easily whether there is a problem. That’s why we show results on maps: maps for every country and every metric.

We measure all EU member states but also include countries inside the European Economic Area. For administrative purposes, we treat the European Union as a country as well; this helps with plotting pan-European initiatives, Computer Security Incident Response Teams (CSIRT), for example. This totals 32 countries, including the EU, Switzerland, Norway, Iceland, and Liechtenstein. The United Kingdom is not included.

Countries divide themselves into all kinds of regions. Every country takes a different approach. Germany, for example, has a lot of structure. In fact, it has so much structure that it becomes confusing and hard to make maps that can be validated easily as correct. Other countries such as Sweden, are much simpler in that respect. In the end, the 32 countries result in 87 different maps with various types of regions: municipalities, cities, provinces, and so on.

Each of these maps is layered into 21 metrics, which we will dive into shortly. Every night we rebuild all 1827 maps based on the latest metrics we have. Metrics are gathered day and night over all 200.000 internet domains, accross the massive total of 67.000 local governments. Nearly 200.000 seems like a high number, but in fact it is very low.

In reality, the true number of government domains is tenfold but finding those requires a lot of effort. We mostly are missing ‘project’ domains, targeted at tourism, housing, infrastructure, festivals, and anything else the government produces. Some governments, like the Netherlands, have multiple official registries for governmental websites. Yet our Dutch initiative has found thousands of additional domains missing from those registries.

The domains we do measure are the most important ones for each government: their homepage and all subdomains below it. For the Dutch municipality of Amsterdam this includes 700 additional addresses like bikecity.amsterdam.nl and stemmen.amsterdam.nl – those are typical project sites but placed on a subsection of amsterdam.nl.

To alter data on our site; sign up and use change requests. For large change requests, please get in touch.

Traffic Light Maps

Maps are colored with the colors of a traffic light. Red means there is a security issue, orange means a warning toward a pending security issue that still needs attention, and green means no issues. Only one issue is needed to make something orange or red. This means it can be challenging to be shown as green. We do not use relative grading, as there is no such thing as relative security. Gray means that we have not found online addresses for that region.

In the galleries below you might recognize your country, and you’ll see a lot of red. It shows the default map for a country, which combines all 21 metrics into one. As you’ll see in the worrisome metrics, there are very large differences between countries.

There are big differences between countries that warrant further analysis. For now, we pick a few highlights:

  • Denmark’s municipalities are mostly orange, signifying a policy being in effect.
  • Italy has many green municipalities; their trick is to have their municipal site be a subdomain, shifting security issues to higher-ups in the chain. As a result, we measure less.
  • EU Computer Security Incident Response Teams are all red; we’ve made it a bit harder for them by connecting the most important governmental website of the country to each of them. This creates a leveled playing field, as some countries do that by design and others have a dedicated website.
  • The Netherlands has a flurry of green, orange, and red; greens are attributed to government policies and measurements of both Basisbeveiliging and Internet.nl.

Map data by OpenStreetMap, metrics and coloring by us.

Three worrisome metrics

Security Baseline measures 21 metrics; these were developed in the past decade for our Dutch site. This number is slowly increasing. We’re using well-established, carefully considered quality tools such as internet.nl and Zonemaster.

From these metrics, we’ve chosen three that cause us the most worry. One of them shows an illegal practice, and the other two show very dangerous practices. These issues need to change not by a single burst of activity but by establishing change processes and continuously upgrading and improving our online footprint. Using a process means you can adapt to future changes we know will come: stronger encryption, quantum cryptography, additional metrics, and new research. Fixing it once does not lead to resilience.

3.000 governmental sites use tracking cookies illegally

3.081 European government sites place tracking cookies without consent. This is illegal, as the GDPR mandates informed consent. The law states: “Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.” Additionally, there is no reason for a government to use surveillance tech on its citizens in the first place.

Yet, as we’ve seen in the Netherlands, the reason for this tracking is benign and can be replaced by using different technologies and approaches. Mostly it’s a side effect of integrating modern technologies that are simple to use but have a hidden advertising cost. This booklet, written by the EDRi foundation, can help web developers create more privacy-friendly websites.

There are substantial differences in tracking between countries. There is no correlation between the number of inhabitants, nor the number of sites. For example; Germany and France differ greatly, with 0,59% versus 3,88% respectively.

What’s missing in these numbers are the tracking cookies of the earlier-mentioned “project” websites for tourism, construction, etc. These are particularly prone to tracking technologies, as they are often made by hip web agencies. Our cookie research in the Netherlands, which did include project websites, showed that in 2023, 4% of governmental sites placed tracking cookies. To protect citizens, it is valuable to have overviews and monitoring of project websites. If we could find them, we’d add them in a heartbeat.

This metric ignores any cookie prompt or banner. Some sites that place these tracking cookies may have a banner like that, but we know from prior research that at least 30% of those banners are ineffective and still leak tracking cookies.

During measurement, we found a total of 357.000 cookies. Just a fraction of these are tracking cookies, and we can say for certain they are in just 10 distinct cases. We found that during prior cookie research in the Netherlands: only large vendors clearly state the intent and purpose of each cookie. Smaller advertising firms do not, so it’s not always clear what every cookie is used for.

For cookies we have a special tracking cookie dashboard on SecurityBaseline. Maps and metrics can also be filtered for tracking cookies with ease.

Below is a number graph of which countries place tracking cookies in order of frequency; source data is at the end of the article. We’ve excluded duplicates from ‘www’ domains.

Percentage graph showing how many European governmental sites place tracking cookies without consent. Slovakia leads with nearly 10%, Greece with 8%, and Portugal with 7,6%. Only Cyprus and Liechtenstein do not place any.

YouTube is the biggest source of tracking cookies, with 2077 cookies placed in total. Google Ads(!) follows with 842 tracking cookies. This might be a side effect of misconfiguration of Google Analytics, which should also not be used; however, that is measured in another metric not mentioned in this article. Then we see 293 Facebook cookies, probably for website analytics as well. Last but not least, we see 20 TikTok cookies.

Number graph showing how tracking cookies are divided. YouTube: 2.077; Google Ads: 842; Facebook: 293; TikTok: 20. A site can have multiple different tracking cookies: the total number of unique sites is 3.081 but the total number of tracking cookie placements is 3.232.

Here are some maps that show that placement of tracking cookies happens infrequently. Map data by OpenStreetMap.

Map showing 72 municipalities in Greece placing tracking cookies without consent.
Map showing 13 municipalities in the Netherlands placing tracking cookies without consent.
Map showing 913 communes in France placing tracking cookies without consent. The communes are sprinkled evenly throughout the country.

Over 1.000 database management interfaces are publicly reachable

The second worrisome metric is the exposure of admin panels that should not be reachable over the public internet. These types of panels are also prone to security incidents. On April 30th this year, a similar popular product, cPanel, was discovered to have a very severe vulnerability. If those panels are not reachable over the internet, they will cause less harm when vulnerabilities like these are discovered.

SecurityBaseline currently measures only one panel. In the future there will be more, including the aforementioned cPanel. For now, we only measure phpMyAdmin. This particular panel is used for database management purposes. It is a very capable tool for this type of administrative work, which is precisely the reason it should not be exposed on the internet for anything serious.

We found a total of 1.070 phpMyAdmin portals on 3.529 different domains. Many domains share the same panel; they share the same service provider for example. phpMyAdmin is an open-source tool, yet we found no financial contributions from European governments to this software project. This means they are depending on software, yet are not willing or mandated to pay for it; we see this as an unwillingness to invest in their own online security. We urge governments to pay for open source for their own sake.

Two of these panels are present at addresses of Computer Security Incident Response Teams, which is a double offense. It might require some trickery to see these addresses in the browser.

  1. https://codsustenabilitate.gov.ro:443/phpmyadmin/
  2. https://nkc.nukib.gov.cz:8443/phpMyAdmin/

The chart below shows the division of phpMyAdmin panels per country. Again, all www duplicates have been removed.

Number graph of publicly reachable phpMyAdmin installations at EU governmental sites. France leads with 513 instances, Poland with 499, Hungary with 368, Germany with 300, Czechia with 258, Italy with 232, and then there is a sharp drop-off. The source table contains all data.

99% of governmental email is poorly encrypted

Last but not least, the most shocking discovery of our research: the encryption quality of e-mail to European governments is poor. And not just any form of poor: as 99% does not follow up-to-date security practices. Only the Netherlands and Denmark show somewhat promising numbers.

Encryption quality is measured with the latest release of internet.nl. Their 1.11 update, released in April 2026, implements the Dutch governmental guidelines for Transport Layer Security. These guidelines were published in May 2025. In short, they state how encryption should work to prevent eavesdropping or tampering with the e-mail message.

This metric consists of 18 submetrics, but not all count toward the category score. Each of these metrics also comes with technical results, for example which version of encryption is supported. These warrant further investigation, as it is interesting why this security baseline is only partially met by the Netherlands and Denmark.

Internet.nl provides ad-hoc tests to see the current status of a particular domain. This is faster than our cycle to update these metrics.

There are no TLS-standards at the European level yet. Other countries, such as Germany and France, wrote other guidelines which are clearly not compatible. Neither do they have simple testing tools available. Instead they point to less convenient open-source command-line tools intended for professionals.

Percentage graph of sufficient encryption of e-mail at European governments. The Netherlands has 58%, Denmark 44%, Portugal 8%, EU/CSIRT 5%, Sweden 4%, then a bunch of 2%, 1%, and mainly 0%.
Poorly encrypted e-mail at Computer Emergency Response Team organizations throughout Europe. While seven are doing all right, 35 do not. Note that we included the main website of the country as part of the CSIRTs to level the playing field between different CSIRTS in Europe. This means that the Dutch NCSC will also measure “Rijksoverheid.nl” and all subdomains. Map data by OpenStreetMap.

Source Tables

Unique governmental sites with marketing cookies

CountrySites with marketing cookiesPercentage of all domains
SK (Slovakia)89,88%
GR (Greece)838,16%
PT (Portugal)407,63%
MT (Malta)45,19%
FR (France)12203,88%
PL (Poland)6213,61%
IE (Ireland)33,00%
HU (Hungary)2472,78%
BG (Bulgaria)322,47%
HR (Croatia)362,41%
IS (Iceland)92,30%
FI (Finland)402,25%
EE (Estonia)82,23%
CZ (Czechia)2262,21%
LV (Latvia)71,80%
SI (Slovenia)81,63%
ES (Spain)101,52%
CH (Switzerland)761,38%
BE (Belgium)621,10%
RO (Romania)70,99%
LU (Luxembourg)30,96%
AT (Austria)380,74%
EU (European CSIRTS)220,62%
DE (Germany)1360,59%
SE (Sweden)170,59%
NO (Norway)90,58%
LT (Lithuania)20,56%
IT (Italy)750,45%
NL (Netherlands)360,39%
DK (Denmark)10,08%
CY (Cyprus)00,00%
LI (Liechtenstein)00,00%
Grand Total30812,25%

How marketing cookies are divided between vendors

CountryYouTubeGoogle AdsFacebookTikTok
FR684534336
PL50081806
HU2114012 
CZ1354254 
DE9135143
GR69151 
CH531017 
IT57177 
BE341912 
FI218131
PT35161
AT3162 
HR2793 
NL224142
BG2831 
EU211
 
SE1052 
ES732 
IS217 
NO514 
EE4221
SI711 
SK622 
LV611 
RO7   
MT4   
IE3   
LU1 2 
LT 11 
DK1   
Grand Total207784229320

phpMyAdmin panels

CountryDomain
FR513
PL499
HU368
DE300
CZ258
IT232
AT64
BE48
NL27
CH20
BG17
GR14
FI13
HR8
SI7
LT6
LV6
EU5
PT4
RO4
EE2
IS2
SE2
DK1
LU1
SK1
Grand Total2419

Properly encrypted e-mail

CountryPassed testDomains with mailPercentage
NL22038258%
DK449944%
PT212758%
EU183845%
SE122944%
CZ10452522%
CH3820462%
BE105762%
NO63632%
IS1642%
GR33281%
DE102123381%
FR113153391%
HR14270%
AT217760%
PL225960%
HU126580%
BG 3510%
CY 90%
EE 470%
ES 850%
FI 3300%
IE 380%
IT 9330%
LI 110%
LT 600%
LU 960%
LV 490%
MT 610%
RO 1250%
SI 2000%
SK 90%
Grand Total698476011%