Of almost 500 websites analyzed by public bodies in Spain only 5 have been found to be truly safe, according to the Mozilla Observatory parameters and as Rubén Martín (Nukeador on Twitter), one of the precursors of the project called Observatory of Web Security by Pucelabits.
This project has made it possible to discover that among the websites that do not respect security protocols, there are some that handle information as sensitive as the INEM, the Senate, the Treasury, the Mint and Stamp Factory, the Ministry of Defense or the CESID.
😍 Very proud of the work that has been carried out with the help of all
😱 I'm terrified of the bad grades panorama
📢 Let's keep adding public websites and make noise to the institutions to demand more security! https://t.co/wumZIzsauH- Nukeador (@nukeador) February 5, 2021
Those that do meet privacy requirements according to the ranking are: the Moncloa website, University of Murcia, Madrid City Council and Libraries of Madrid, University of Alicante and the National Institute of Cybersecurity or INCIBE.
A collaborative project from Valladolid to the rest of Spain
This idea emerged at the end of 2020 from the hand of Adrián de la Rosa, Guido Garcia and Rubén Martín, who were part of a Valladolid free culture and privacy group. After checking that different public websites in your province did not have the necessary security features To protect the private information of citizens and after contacting those responsible for these organizations without receiving a response, they decided to launch a call for anyone willing to check if this happened often throughout Spain to join.
Now there are more than 20 people throughout the country that they have written and that they have been part of the idea. In fact, while last Tuesday, February 9, Martín said that since the beginning of the year 362 websites of public bodies had been analyzed (of which only 3 had been found to be safe according to the criteria, a day later they were analyzed almost 100 more. All thanks to the fact that many more people learned about the initiative precisely that day.
Although the three creators of this project have a development background web claim that you do not need to be experts in anything to be able to do basic security checks according to an existing service and that is the aforementioned Mozilla Observatory. This tool analyzes various issues on the web to see if the https criteria (which accompanies the URL of most websites) is really true.
It is not private information, just that people do not know that most websites are not secure
“The information we provide is not a first. It is public. Mozilla Observatory has been around for years. The data they reveal is not something obscure or hidden. But the objective we pursue is to give visibility to this problem and that all citizens can understand it"explains Rubén Martín. He himself reminds that citizens are obliged on many occasions and for various procedures to use the pages of public institutions and that, if they do not protect the data well, it will be easy for an attacker to access these private information and many delicate times.
At the same time, he continues to explain, "the times we have privately contacted these institutions they have never listened to usFor this reason, the initiative includes the option of sharing the information on Twitter as a complaint. And it is that, the promoters of PucelaBits consider that "we believe and it has been demonstrated that when there is enough noise it is when a problem is remedied ".
The Mozilla Observatory criteria to say if a website is secure or not
The main doubt about these analyzes is that, if the websites have the HTTPS certificate in the URL, what do they lack to be secure? From Pucelabits they explain that when we connect to a web page, our data travels back and forth from our device to the server of the web page by means of cables and intermediate servers. If the web address includes HTTPS, this means that this data travels encrypted, but not all HTTPS websites have a secure implementation.
With all this, it must be said that using HTTPS is not enough to guarantee the total security of our connections, the page must also implement certain measures to ensure that the connections to its website are always carried out using this protocol, in accordance with the Valladolid initiative.
According to Mozilla Observatory details when any user enters a URL for analysis, there are several parameters to take into account. For example, it looks that cookies have the "secure flag"; must include the Content Security Policy (CSP); or that the web does not redirect the user to third pages without HTTPS protocol, among other matters.