In 2015, we asked ourselves the question: how are things going on the websites of authorities with downloading resources from third-party sources? And then XSS, leakage of data about visitors and that's all ... It turned out that the situation is very good: 92% of state sites did not even think about it and loaded everything in a row - counters, fonts, JavaScript libraries, widgets, informers, advertising ... just now there are no cryptominers was (but this is inaccurate).
Analysts found 9 different types of counters and systems alone, some of which were clearly collected. For example, the site of the Federal Customs Service has collected 7 counters in its collection, including the SpyLog, which has died by that time in Bose for five years. Its “successor” - the Openstat counter - was also installed by customs officers (we need more counters!)
But the Rosregistration website was fond of advertising and loaded the code of Google and Yandex ad networks, the “effective content recommendation system” Lentainform, which in turn loaded the ad networks code MarketGuide and Tovarro and other similar rubbish.
In general, there was a lot of "tasty", but little fun. Along the way, we entered into an absentee polemic with Roskomnadzor, which a little earlier found Google Analytics on 22% of state sites, and we found it on 40%.
According to the results compiled the first «XSS-security index gossaytov" published report "Russian gossayty: secret throughout the world," sent it to the media and administrators Ferris gossaytov. Journalists, as usual, made some noise and again silence and peace reigned in Moomin-dol ... or not? We decided to check how things are today, after 5 years.
In short, the results of the new monitoringare as follows: in 5 years the number of state sites that do not load extraneous resources has grown from 7 (8%) to 8 (10%). Also, the number of sources of downloading external resources has slightly decreased - from 55 to 52 - and persons who control these sources - from 40 to 37. But during this time, the number of government bodies, and, accordingly, their sites - from 85 to 82. So Thus, the lion's share of the reduction in "left" downloads is due to the government's successes in administrative reform, and not to the efforts of state site administrators.
From the new portion of the "tasty" - the sites of the Ministry of Industry and Trade and Rosarkhiv, on which 7 and 6 different counters and analytics systems are installed at once, respectively. We should tell them that the highest rates will be in parrots. At the same time, inform the administrators of the websites of Rosarkhiv and the Main Directorate of Special Programs of the President that the OpenStat counter has not been working for two years. Gossites are unlucky with this counter ...
A new problem is the "Accessible Internet" project and the ravines that have been forgotten on paper. For example, we go to the "free" site of the Ministry of Defense, and our operator includes the corresponding traffic in the paid one. We are like this: how is it, Putin signed, we are obliged not to tariff! And we answered: the website of the Ministry of Defense is free, but nothing is said about all the garbage that it pulls from other sites, pay! In general, there is a problem, but this is not a problem of administrators of state sites, not a problem of telecom operators, not a problem of the Ministry of Telecom and Mass Communications, which muddied such a wonderful project, but a problem of users.
At the same time, we decided to explore foreign experience, which is customary to nod at, as if on the front line. But no! We looked at a couple of dozen websites of foreign ministries of defense and found about the same picture: everywhere Google Analytics plus local counters. The Ministry of Defense of China, of course, did not disappoint: the Chinese cyber border is locked, Germany and France are not lagging behind, and the rest of the studied - from Belarus to Japan - are pouring data about their visitors into the Beaver Corporation.
In general, nothing has actually changed in five years. Content Security Policy? No, you haven't heard. Subresource Integrity? Yes, how can you do this on the state site! Well, we load resources from a foreign CDN, well, we merge data about visitors into the country of the traditional "potential enemy", as if it were something bad ...