So we have released a consolidated report on the results of monitoring the sites of the highest authorities in the regions - "Reliability of the sites of state authorities of the constituent entities of the Russian Federation - 2020" . They were evaluated from three sides: a) whether these sites can be considered official from the point of view of the law, b) whether they provide a reliable HTTPS connection, and c) what and from where they download, i.e. how potentially vulnerable to XSS and how generously are they leaking their visitor data to third parties?
According to the results of a study of the websites of federal authorities, one could guess that everything would be no better at the regional level, but we did not even know how and to what extent.
As for the officiality of the sites: for the feds, 2 out of 82 investigated sites of the authorities were unofficial . Initially, we also considered the site of the Russian Guard , which is administered by its subordinate information technology center, to be unofficial , but the latter defended its point of view: the center is a military unit, i.e. part of the Russian Guard itself, so there is no violation of the law here, but there is our inattention (but the TLS certificate on their website has, beyond any doubt, been rotten for the second month).
Therefore, we checked the regional sites according to the already refined methodology, which provides for a request to the Unified State Register of Legal Entities and found out: out of 184 sites named official, 27 (15%) are not. the corresponding domain names are administered by subordinate government agencies, commercial and non-commercial organizations, and even individuals, although the law clearly states that this is only allowed by government agencies (read - authorities). The Northwestern and Siberian Federal Districts, where more than 30% of the highest authorities do not have official sites, especially distinguished themselves.
With bated breath, they made a request to the Unified State Register of Legal Entities according to the TIN of the administrator of the website of the Parliament of the Chechen Republic, which is listed in the register of the registrar as "Parliament of the Czech Republic Ltd." I, of course, apologize in advance, Ramzan Akhmatovich, but the parliaments in Russia have a different organizational and legal form, and the Federal Tax Service thinks the same way (let them apologize themselves). In general, there was no sensation - the administrator there is the "Apparatus of the Parliament of the Chechen Republic", and let the one who made such an entry in the domain register apologize for "LLC".
Here an attentive reader can interrupt me with a question: why were 184 sites studied when there were 85 subjects of the federation? I answer: the websites of regional governments, parliaments and governors, if any, were studied (the website, not the governor's). But if you think that the number of governor's sites is easily calculated by the formula 184 - 85 - 85 (= 14), then you are mistaken, everything is much more complicated. For example, the Moscow Government does not have its own website, only the website of the Moscow Mayor , where the government has its own corner. But the authorities of some other subjects have two websites at once, both of which are called official.
For example, the Government of the Republic of Tuva has two websites at once, both are named official ( gov.tuva.ru and rtyva.ru) and both are not from the point of view of the law, because the first domain name is administered by Tyvasvyazinform JSC, and the second is administered by an anonymous individual. The Government of the Kostroma Region also has two websites ( adm44.ru and kostroma.gov.ru ), both official, but with different content.
Me in the comments to one of the previous publications reproached that we domatyvaemsya to mice with this formality. No, guys, we just demand strict observance of the law, especially since in this case it is logical and easily enforceable: only an authority can be the administrator of the domain name for the site of the authority. Not a subordinate state institution, not an LLC, not a citizen of Pupkin, but only a government authority, period.
With HTTPS support at the regional level, everything is approximately the same as at the federal level : most declare support, but only a quarter really provide something similar to normal connection protection, the rest - who forgot to update the certificate in time, and who for years have software on the web the server does not update, and it shines on the Internet with holes and vulnerabilities almost ten years ago.
Another thing is interesting here: probably everyone has at least heard about "Electronic Moscow", "Electronic Buryatia", "Electronic Tatarstan" and other electronic programs for the development of budgets for the informatization of public administration. Do you know who has the best HTTPS support on the official website as a result? From the governments of the Ulyanovsk and Moscow regions and the parliaments of the Vladimir region and Yamalo-Nenets Autonomous Okrug.
I haven’t even heard anything about "Electronic Yamalo-Nenets Autonomous Okrug", maybe such a program does not exist, but at least one straight-handed administrator in Yamalo-Nenets Autonomous Okrug could be found (the fifth place in terms of area among the subjects of the Federation, population - as in one district of Moscow). And in e-Buryatia, either the population is even worse (Rosstat objects), or there was not enough money for a normal administrator, but the servers of both authorities - legislative and executive - are welcoming inquisitive researchers with a bouquet of CVE-2014-0160, CVE-2014- 0224, CVE-2016-2107, CVE-2019-1559 and further with all stops.
Interesting: when trying to check the website of the Administration of the Nenets Autonomous Okrug, we came across IP blocking of a number of research tools. The administrator had enough zeal, knowledge, and desire for this, but to close CVE-2012-4929 (who does not know, the first number is the year of the vulnerability description, 8 years ago, Karl!) And other holes are no longer strong, no desire is left, and maybe knowledge too.
The leader in maintaining secure connections is the Southern Federal District, where 53% of the sites studied provide a fairly reliable HTTPS connection. It is followed by Central and Ural (47% and 40%, respectively). The laggards are the Volga and North Caucasian regions, in which only 13% of the sites of the highest authorities have no significant problems with maintaining a secure connection.
As for XSS, i.e. garbage that sites themselves download from third-party sources, then here, as well asthe feds have a zoo: JS libraries, fonts, counters, banners and so on with all the stops, but there are also interesting nuances.
For example, the federals have Google Analytics on the 4th place in popularity, and among the regions - on the 7th; even in absolute terms it is less than that of the feds. But if the GA counter itself is only on 9% of regional sites, then Google code in general - by 63%, so they still successfully collect data about visitors. But in third place among the counters among the regionals, Bitrix suddenly appeared. This is what seems to be a CMS and a little more statistics collection.
The record holder for the love of analytics was the Government of the Altai Territory, whose site is "decorated" with 6 counters at once, but its success pales somewhat compared to the sites of the Administration of the Kostroma Region, the parliaments of the Kaliningrad Region, the Udmurt Republic and Moscow, which are "decorated" with the OpenStat counter code. two years showing no signs of life. These, of course, are not electronic passes for shamanism, this is HTML, but DIT has paws ... grabbing.
As a summary: as in the case of monitoring federal sites, we sent out separate reports on subjects and their heroes. The feds were not specifically monitored after that, but the progress is visible to the naked eye: someone patched the holes on the server, someone turned on HTTPS, someone updated the TLS certificate, someone did not scratch it, but the reaction is noticeable.
The regionals were monitored a little, while the only noticeable reaction was that the Government of the Tula Region rewrote the domain for its website from a subordinate state institution to the regional Ministry of Communications. Well, that's why we monitored, to point out errors and suggest how to fix them. It's bad that the rest, it seems, do not care: well, we are breaking the law on access to state information, well, the site is full of holes, well, everything is loaded onto it, including the "potential enemy", just think ...
In general, until a shameful picture appears on the main page of his site or blasphemy against the sovereign-emperor, the governor will not cross himself with his party card. In a year we will check if this is so - we plan to conduct monitoring annually.