The reals:
1. Hosting detection: I'm matching links TO GitHub as hosting ON GitHub. That's wrong. Fix incoming.
2. US-hosted sites getting 100%: My ASN lookup isn't catching everything. I opted against GeoIP services (privacy reasons), but clearly the ASN-only approach has to much gaps.
3. Social links vs embeds: You're right. A link to Twitter isn't a dependency. An embed is. Will differentiate.
4. gov.uk/gov.cn perfect scores: The tool checks infrastructure, not jurisdiction. gov.uk probably serves from EU edge nodes. That said, the name. Also tried to mention this in the Methodology-Modal. But iterating on all legalese and features same time as a single dev did not land well with my sleeping patterns for v0.1. Will fix that too.
"EU sovereignty" is misleading for non-EU countries - point taken. Will think about better framings.
This is more of an attempt at a political stunt. The CCP's website gets a perfect score, admin.ch also gets a perfect score while Switzerland is most-definitely not in the EU.. non-US is more accurate than EU but you only see that when stars start flying.
IMHO: Just scrap the politics and show what regional deps a site has - that'd actually increase value quite a bit.
I have some feedback for OP: my personal website got 92% because there is a link to my X profile in the contact session. It's not like it relies on the service. Its just a contact and there are also links to other services such as self hosted matrix.
On the other hand my registrar is Namecheap which is in the US and your tool didn't checked for that. I think thats a lot more important in terms of dependance than a link to a social network so you could run a whois lookup to check what registrar is hosting that domain.
Good point regarding registrar. Thinking a bit further, there's also the top-level domain: if that's under US control (eg .com), it could still be yanked away from you.
.onion might be exempt but while the TLD "." is anycast worldwide for the actual DNS service, Verisign still signs the cert. Isn't that a show-stopper for dependencies on dns-over-https or https altogether or do .cn, .ru, .ir etc all add/replace with their own independent signatures ?
1. Link to X profile ≠ dependency on X. Will differentiate links from embeds in v0.2.
2. Registrar check is a good thinking. Already have some stubs in the codebase. Namecheap is US and could theoretically be compelled. Adding to roadmap.
While I'd say you're mostly correct, I do disagree some.
There is quite a large issue with sites posting things like current events on social sites like Facebook, or other rapid news events on X. Doing this has the potential to diminish your sovereignty. For example if you tell your users to follow X on the site and you're posting some event that Musk doesn't like, maybe you're posts will disappear.
It's absolutely not something to think about, unless you are in some kind of cult.
This website is also foreign to Europeans, so what are you then doing here contributing with your comments?
It is probably time for Europeans to start dealing with their problems in different ways than having internal "purity purges". It has never worked, and will never work. It makes people weak and easily defeated in every endeavor.
"Hey France, I know all of a sudden Germany is suddenly running around with black white and red flag, but it's completely cool if we have them manage all of our critical infrastructure". --carlosjobim 1937
I'm in the US. I'm watching what's going on here. If you want to talk about any group doing purity purges, they have ICE printed in big letters on their jackets.
Of course feel free to pull an IBM in the 40's and stick with the regime, it evidently has no long term business repercussions.
Yes, yes obviously everybody who doesn't participate eagerly in purity purges are themselves a nazi collaborator, foreign spy, reactionary saboteur on the MI6 payroll, maybe a crypto-jew, a jesuit, a lutheran, etc etc
Sometimes, just sometimes there are evil people out there that you don't want to associate with. Other times, if evil isn't an issue for you, that said evil entity represents a business continuity risk by using their services.
It's up to you to decide those risks, but it seems rather 'anti-free speech' to say that I can't recommend that you think about those risks in the first place. By use of this service you are not purging anyone. You are enlightening your current position and using that information to make next steps.
Linking to the Facebook page of a small business is considered stepping over the line by this so called "sovereignty audit" tool. Sure, we can call that "associating with evil people". I say it's a cultish purity purge - a recipe for failure for those who participate. Because very quickly they start looking for impurities with each other and fragmentize into different sects.
Nice, but for me it is reporting false information.
I use Vercel, Cloudflare for DNS yet it shows 92%.
The only thing it correctly reported was the LinkedIn link.
(There is also a GitHub and Bluesky link, which are US companies / services as well).
I put in my site and it gave me a red cross for "Hosting", on hover it said "GitHub Pages". But my site isn't hosted on GitHub Pages.
Expanding "Details", the URL that is hosted on GitHub Pages is... a different website? There's merely a hyperlink to it on my website.
It also says I'm using "self-hosted" fonts - but I don't think I'm doing that at all? I'm just using the browser's fonts. Using non-standard fonts is a bad idea because it causes the content to either be invisible until the font is loaded, or else it initially shows in a fallback font and then the text all jumps when the font is loaded.
It also says my website is hosted on GitHub pages, although it’s served from a hetzner server.
EDIT: on further inspection: I get both a red cross AND a green check mark for hosting. So it’s somehow indicating both GitHub and hetzner. Maybe it’s because I merely link to GitHub?
Thanks for the Bugs Bunny.
I'm detecting a LINK to GitHub Pages and marking it as hosting. That's wrong - hosting should only flag when the actual page is served from there.
Re fonts: "self-hosted" means fonts served from your domain (vs Google Fonts CDN). If you're using system fonts, that's a detection error on my end.
I find it ironic that in Europe the defacto language for intercommunication is from a country that chose to disassociate itself from the EU. In all, I think it's great that every EU country uses the English language with all their idiosyncrasies and hell be damned about "proper" english.
"Fortunately", that country forced its language onto a number of others who remain in the EU, and one of them conveniently has English as its EU language because another country also speaks its actual primary language.
I actually think that having English as the default language of the EU without England in the EU is kind of elegant, it side-steps the 'natural advantage' problem.
English is the lingua franca (hah!) of the business world, on HN any website posted is supposed to be in English, so effectively you are saying that EU digital sovereignty can not be discussed on HN.
Bunny CDN (https://bunny.net) is great, HQ located in Ljubljana, Slovenia and also have great support which seems most faster and gives better responses than most others out there, but might just been my luck, YMMV.
>but was you or anyone you know affected by a DDoS?
Yes, all the damned time.
Some people must have experienced a completely different internet from the one I've had to run servers on over the years. I've had tiny, local sites for customers randomly get gigabytes of traffic per second for days. No rhyme or reason why. Try to run anything with a forum on it where people have strongly held beliefs, yea eventually you'll get a DDOS. Have a site where some global competitor can influence your sales by slowing traffic on important holidays... you can see where this is going. Heck, I've even worked at ISPs where we had to take particular IPs out of the DHCP pool and null route them because for some reason they were getting traffic blasted for weeks at a time.
While they do sale fear, it's not really an irrational one for those that have worked in the industry.
A lot of people here don't just run trivial hobby sites. They work for companies that actually have a real need for DDOS and WAF protection. Maybe you have no experience with that, but it is extremely common and even required for sites that require compliance certifications like SOC2.
Sorry I pressed downvote and cannot revert my press...
I had to set up CF for a small local business in a very small country that has ecommerce presence targeted mainly at local population. It just gets non-stop ongoing traffic a hosting provider cannot handle.
I get 16% deduction for having text links (no js, no embeds) to twitter and facebook, one each.
Thanks for reminding me to remove these, but "how dependent your website is on Non-EU services." is just 100% wrong here.
edit: ok, I saw someone else also posted that.
edit2: OK, another page where I have a ton of youtube embeds (but all behind some JS to show a static image before you click) gets 94% - that page is actually, 100% useless without youtube.
*GeoIP* - The ASN-only approach was too restrictive (I tested mostly with orf.at and such). Now using oschwald/geoip2-golang with DB-IP Lite. Hybrid detection: ASN for known providers, GeoIP fallback for everything else.
kapsi.fi now correctly shows as EU/Finland (was the false positive many caught). google.com: 54% (US detected), reddit.com: 94% (Canada - has EU adequacy decision). Added all EU adequacy countries (UK, Switzerland, Japan, Canada, etc.) - no penalty, but labeled "Adequate" not "EU". Im not sure on this one. Im sure we'd like to get UK back in the Union so we get to see the Rolling Stones more often.
*Embeds* - A link TO twitter.com is no longer flagged as a dependency. Only actual embeds (script src, iframes) count now. This might also fix the "links to GitHub flagged as GitHub Pages hosting" issue - same root.
*Costs* - Reduced. Google Fonts swap is now €50-150, not €400-800. Costs were too enterprisy, now for small sites like ours :)
Need to feed some cows now.
Will iterate further when back.
PS: Please dont roast the latin. Its been a while.
First: You are legends. Thanks for the massive roasting. Had a Haupt-Mieterversammlung directly after clicking "Submit" and was too tired (and scared) to directly address the issues afterwards. Reading your comments really delivers some intense cringe-moments over here seeing my bugs exposed. I try to frame it as some of the best feedback from some of the best engineers in the world. This helps (it does).
The core stuff: I chose to implement ASN-list lookups instead of a GeoIP service (to have less deps). Worked for my european test cases. Clearly not battle-tested enough for the wild.
What I'm hearing:
- Hosting detection has false positives (detecting links as hosting) and false negatives (US-hosted sites scoring 100%)
- Social media LINKS shouldn't count same as EMBEDS (fair point)
- Missing: registrar, TLD jurisdiction, DNS location
- AWS/Cloudflare detection is spotty
- Migration cost estimates are too high for small sites
- Some UI bugs on Firefox
What we shipped overnight (yes, while this was trending):
- "Hotfix" for our scanning friends over nsa.gov
What we ship from now on:
- Fix the real bugs
reddit.com gets a perfect "no US dependencies" score. I guess they have servers around the world and can serve requests from a local-ish server.
Obviously this simple check only concerns the technical aspects of the website and doesn't analyse the business itself but I wonder if all .com domains should be marked down?
Is there any evidence that the US executive branches and three letter agencies care about the physical location of the data center? Never mind the dependency on AWS, which is a US company
I doubt datacenter location matters for anything beyond latency
The US CLOUD Act explicitly asserts jurisdiction over data controlled by US companies regardless of the physical server location. So relying on AWS Frankfurt doesn't actually protect the data from US warrants if the provider is a US entity.
Apparently the Mastodon server sitting in my Texas laundry room is 100% independent from the US! I guess my laundry room must've seceded from the US...
If I may, and not trying to be annoying, on my screen the navigation bar (.navigation-wrapper) covers 90% of the top left buttons (aria-label=breadcrumbs).
Happens with both Chrome and Firefox, macOS, 15" macbook pro.
take my website for example mrtno.com - it's hosted in europe, ok. but under what legislation the domain register is based? and where is the dns server?
those a crucial information. and they are missing.
I really wish this existed so that HN could go back to being a tech community of nerds and builders. Somehow HN has become overrun with more and more urban monoculture euro-fetishists and actual Europeans in the last few years. I haven't seen a headline mentioning Rust or Lisp in days! That's how you know things have really gone downhill.
European HN could focus on its favorite topics of privacy paranoia, "what regulation can we make next?" and tech safetyism, while maybe real HN could go back to Bay Area tech esotericism and fun historical anecdotes.
It has nsa.gov on the leaderboard as having no US dependencies.
It wrongly says one of my sites is using Cloudflare.
It says that one of my sites that is hosted in the US (no CDN, US IP address) has no US dependencies.
it treats social media links the same way was embeds.
it gives gov.uk a perfect score. Maybe by design because it is hosted in Europe, but if so it should not say its EU sovereignty.
I do not think that is the case because it also gives a perfect score to https://english.www.gov.cn/
I do not know how it got to the HN front page - people presumably vote it up without checking it actually works.
Its just not anywhere near accurate.
The nsa.gov thing: :)
The reals: 1. Hosting detection: I'm matching links TO GitHub as hosting ON GitHub. That's wrong. Fix incoming.
2. US-hosted sites getting 100%: My ASN lookup isn't catching everything. I opted against GeoIP services (privacy reasons), but clearly the ASN-only approach has to much gaps.
3. Social links vs embeds: You're right. A link to Twitter isn't a dependency. An embed is. Will differentiate.
4. gov.uk/gov.cn perfect scores: The tool checks infrastructure, not jurisdiction. gov.uk probably serves from EU edge nodes. That said, the name. Also tried to mention this in the Methodology-Modal. But iterating on all legalese and features same time as a single dev did not land well with my sleeping patterns for v0.1. Will fix that too.
"EU sovereignty" is misleading for non-EU countries - point taken. Will think about better framings.
I have two under my full control, one scored a 92, the other one scored a zero. They're both hosted the exact same way.
IMHO: Just scrap the politics and show what regional deps a site has - that'd actually increase value quite a bit.
On the other hand my registrar is Namecheap which is in the US and your tool didn't checked for that. I think thats a lot more important in terms of dependance than a link to a social network so you could run a whois lookup to check what registrar is hosting that domain.
2. Registrar check is a good thinking. Already have some stubs in the codebase. Namecheap is US and could theoretically be compelled. Adding to roadmap.
Thanks!
There is quite a large issue with sites posting things like current events on social sites like Facebook, or other rapid news events on X. Doing this has the potential to diminish your sovereignty. For example if you tell your users to follow X on the site and you're posting some event that Musk doesn't like, maybe you're posts will disappear.
Is something to think about.
This website is also foreign to Europeans, so what are you then doing here contributing with your comments?
It is probably time for Europeans to start dealing with their problems in different ways than having internal "purity purges". It has never worked, and will never work. It makes people weak and easily defeated in every endeavor.
"Hey France, I know all of a sudden Germany is suddenly running around with black white and red flag, but it's completely cool if we have them manage all of our critical infrastructure". --carlosjobim 1937
I'm in the US. I'm watching what's going on here. If you want to talk about any group doing purity purges, they have ICE printed in big letters on their jackets.
Of course feel free to pull an IBM in the 40's and stick with the regime, it evidently has no long term business repercussions.
It's up to you to decide those risks, but it seems rather 'anti-free speech' to say that I can't recommend that you think about those risks in the first place. By use of this service you are not purging anyone. You are enlightening your current position and using that information to make next steps.
Is this a parody?
Expanding "Details", the URL that is hosted on GitHub Pages is... a different website? There's merely a hyperlink to it on my website.
It also says I'm using "self-hosted" fonts - but I don't think I'm doing that at all? I'm just using the browser's fonts. Using non-standard fonts is a bad idea because it causes the content to either be invisible until the font is loaded, or else it initially shows in a fallback font and then the text all jumps when the font is loaded.
EDIT: on further inspection: I get both a red cross AND a green check mark for hosting. So it’s somehow indicating both GitHub and hetzner. Maybe it’s because I merely link to GitHub?
Re fonts: "self-hosted" means fonts served from your domain (vs Google Fonts CDN). If you're using system fonts, that's a detection error on my end.
Both going in on the fix list. Thanks.
So the tool's a good idea, but currently very inaccurate.
Yes, all the damned time.
Some people must have experienced a completely different internet from the one I've had to run servers on over the years. I've had tiny, local sites for customers randomly get gigabytes of traffic per second for days. No rhyme or reason why. Try to run anything with a forum on it where people have strongly held beliefs, yea eventually you'll get a DDOS. Have a site where some global competitor can influence your sales by slowing traffic on important holidays... you can see where this is going. Heck, I've even worked at ISPs where we had to take particular IPs out of the DHCP pool and null route them because for some reason they were getting traffic blasted for weeks at a time.
While they do sale fear, it's not really an irrational one for those that have worked in the industry.
A lot of people here don't just run trivial hobby sites. They work for companies that actually have a real need for DDOS and WAF protection. Maybe you have no experience with that, but it is extremely common and even required for sites that require compliance certifications like SOC2.
The main advantage Cloudflare has is that it is free and a big brand.
I had to set up CF for a small local business in a very small country that has ecommerce presence targeted mainly at local population. It just gets non-stop ongoing traffic a hosting provider cannot handle.
Next to the timestamp of the comment there is an "undown" link that reverts the vote. Or an "unvote" link if you upvoted
Thanks for reminding me to remove these, but "how dependent your website is on Non-EU services." is just 100% wrong here.
edit: ok, I saw someone else also posted that.
edit2: OK, another page where I have a ton of youtube embeds (but all behind some JS to show a static image before you click) gets 94% - that page is actually, 100% useless without youtube.
Fixed: 1. GeoIP fallback 2. Links vs embeds 3. Migration costs
*GeoIP* - The ASN-only approach was too restrictive (I tested mostly with orf.at and such). Now using oschwald/geoip2-golang with DB-IP Lite. Hybrid detection: ASN for known providers, GeoIP fallback for everything else.
kapsi.fi now correctly shows as EU/Finland (was the false positive many caught). google.com: 54% (US detected), reddit.com: 94% (Canada - has EU adequacy decision). Added all EU adequacy countries (UK, Switzerland, Japan, Canada, etc.) - no penalty, but labeled "Adequate" not "EU". Im not sure on this one. Im sure we'd like to get UK back in the Union so we get to see the Rolling Stones more often.
*Embeds* - A link TO twitter.com is no longer flagged as a dependency. Only actual embeds (script src, iframes) count now. This might also fix the "links to GitHub flagged as GitHub Pages hosting" issue - same root.
*Costs* - Reduced. Google Fonts swap is now €50-150, not €400-800. Costs were too enterprisy, now for small sites like ours :)
Need to feed some cows now. Will iterate further when back. PS: Please dont roast the latin. Its been a while.
EDIT: Remove Api for now.
First: You are legends. Thanks for the massive roasting. Had a Haupt-Mieterversammlung directly after clicking "Submit" and was too tired (and scared) to directly address the issues afterwards. Reading your comments really delivers some intense cringe-moments over here seeing my bugs exposed. I try to frame it as some of the best feedback from some of the best engineers in the world. This helps (it does).
The core stuff: I chose to implement ASN-list lookups instead of a GeoIP service (to have less deps). Worked for my european test cases. Clearly not battle-tested enough for the wild.
What I'm hearing: - Hosting detection has false positives (detecting links as hosting) and false negatives (US-hosted sites scoring 100%) - Social media LINKS shouldn't count same as EMBEDS (fair point) - Missing: registrar, TLD jurisdiction, DNS location - AWS/Cloudflare detection is spotty - Migration cost estimates are too high for small sites - Some UI bugs on Firefox
What we shipped overnight (yes, while this was trending): - "Hotfix" for our scanning friends over nsa.gov What we ship from now on: - Fix the real bugs
v0.2 roadmap based on your feedback:
1. Hybrid GeoIP + ASN detection 2. Differentiate links vs embeds 3. Add registrar/TLD/DNS checks 4. Fix AWS/CloudFront/Cloudflare detection 5. Smarter migration cost estimates 6. UI fixes
Building in public. This is day 1.
To everyone who tested edge cases: you part of this tool soon :) To whover tested nsa.gov at 2am CET: I noticed.
I am not sure how much i will get done by today – maybe i will need to touch grass later a bit (or feeding the cows as we do it over here in austria)
interesting: it may not be a mistake
can somebody explain?
Obviously this simple check only concerns the technical aspects of the website and doesn't analyse the business itself but I wonder if all .com domains should be marked down?
I'm sure you can define "EU sovereignty" in a way that's consistent with that, but that's not very useful.
I doubt datacenter location matters for anything beyond latency
The UI has a few errors on desktop, I cannot see all the issues. The leaderboard... doesn't work ? and the topbar hides some elements
browser: firefox
Mastodon is pretty cool and proof that we can make federation work.
If I may, and not trying to be annoying, on my screen the navigation bar (.navigation-wrapper) covers 90% of the top left buttons (aria-label=breadcrumbs).
Happens with both Chrome and Firefox, macOS, 15" macbook pro.
take my website for example mrtno.com - it's hosted in europe, ok. but under what legislation the domain register is based? and where is the dns server?
those a crucial information. and they are missing.
European HN could focus on its favorite topics of privacy paranoia, "what regulation can we make next?" and tech safetyism, while maybe real HN could go back to Bay Area tech esotericism and fun historical anecdotes.
It remaining alive on the frontpage here only serves to underline how politically irrational the userbase of HN has gotten.
my blog which is hosted on namecheap.com, server whois is Los Angeles, got 100%
I guess this is another vibe coding AI slop service which doesn't even render its own top buttons properly (they're covered by some white div).
Have mercy, web devs!