Recently in websites Category

Today many people use many online services. Each service wants to identify the user. Therefore they need to check if a human uses them, and which human it is. But this checks aren’t always correct.

Many real world security systems are designed to be seen by humans who pay for them. Clearly, this criterion prefers solutions difficult to humans over solutions difficult for bots, since these services may be simpler to distinguish by a human. A nice example of this is a CAPTCHA. It is clearly a problem for humans, I usually need three tries to correctly read text from a CAPTCHA.

For bots CAPTCHAs are not always difficult. Some are designed to be difficult to read by humans, since this may be easily considered ‘secure’, but also easily readable by bots. The reCAPTCHA sites list several examples of such snake oil CAPTCHAs, I have seen one of them at a site of one of the most well-known technical universities in Poland. It wasted human time, but not very much – sometimes it was the same as previously. Clearly, this wasn’t useful.

A CAPTCHA could be necessary on that site, since they generated easy to guess passwords and usernames. On everything else I use long passphrases or the output of head -c6 /dev/random | base64 which produces clearly better passwords than five lowercase letters generated by the technical university. Of course, even five lowercase letters password is more secure than five lowercase letters password sent in an unencrypted email. It is best when the user may write any username and password, just like many other universities allow them to do.

When the user has a password, they may forget it (or forget where they had written this password). Then there are several solutions. Some services allow them to answer questions which they have written previously. These question may be trivial to answer, so I use separate outputs of head -c12 /dev/random | base64 as the question and answer (16 random characters question answered by another 16 random characters). Other services send emails with an URL allowing changing the password. This is not completely secure, since email is insecure, but it may be improbable that someone else will read this email before the URL will be used by the correct user.

The Jacob’s Law of the Internet User Experience stating that ‘users spend most of their time on other websites’ leads to a clear conclusion in this case. The popular ‘solutions’ will be still popular, since people know them. But avoiding the mistakes described in this post should not be a problem for usability – a better CAPTCHA or none is easier to use than a bad one, people usually enter passwords and use emails to reset passwords (although these email are probably not read, since usually they work as expected). It is nice that an organization valuing security or usability may by one decision improve both security and usability.

We use URLs everyday. Although most are not usually seen by humans, some are remembered and typed into a browser’s address bar. So I believe that webmasters should make them easy to remember (if they want people to visit their sites). But the situation is not so simple, partly due to badly configured software and partly due to humans accustomed to unfriendly URLs.

Formally, a URL consists of many parts. But in most cases a URL is not more complicated than http://example.com/foo/bar?baz=qux which has a scheme (http), host name (example.com), path (/foo/bar) and query string (baz=qux). So what’s usually wrong with these?

Web browsers usually use http if the user does not specify a schema. So many people will not notice that for secure connections the schema https is used. Since they type the URL for HTTP, secure websites put there redirects to HTTPS. Clearly since HTTP is insecure (another server may send other data), redirecting from it to HTTPS is also insecure. With newer browsers hiding the protocol used, this makes the Web less secure.

The host name also may lead to securing problems when users mistype domain names, but these are less interesting problems. In WWW many host names are prefixed with www. It clearly does not contribute any information – compare http://www.plone.org/ with http://plone.org/. The second one is shorter and contains less technical information. So it is easier to type and more friendly to people. This may be a reason why the longer URL is a redirect to the website of the Plone content management system.

The path may be an easy to read text in a hierarchy. But dynamic websites made with e.g. CGI or PHP by default include many technical data in the path and use the query string to specify which page is used. Fortunately, search engines rank websites with readable URLs higher, so this may become a lesser problem in the future.

My advice here is simple – write whole URLs, do not prefer leading www and use words instead of implementation-specific details or query strings in the rest.

Yesterday evening I was reading the Official Google Webmaster Central Blog and some other blogs recommending designing websites for users with a consequence of improving their position in search engines. Then I had a dream that I should say about it, so I decided to write about a particular example of this – websites of schools.

Websites are for users. This statement is obviously true, but its consequences are usually ignored. So we should know who could use a website of a school. In my opinion these would be teachers, students, their parents and people who consider to became a part of one of these groups.

As a student of a Polish secondary school with IB DP and its website administrator, I was obviously interested in websites of such schools. Therefore the following arguments will apply mostly to such cases. For younger students some decisions possibly might be different than for this type of school.

So what would each of these groups want from the website? Some ideas:

teachers

some space to share learning materials with the students

students

materials which would replace the use of books (some students would help the teachers to write them)

parents

photos of their children?

future students and parents

what will be taught, what will it give them, how much it will cost, what will be the social part of it be, etc

I have no idea what a future teacher might look for.

Many months ago when I compared websites of all Polish schools with IB DP, none of them provided all of these features. Only the one which I administered had learning materials. Information for future students is limited everywhere.

In Poland there is an additional problem – we use Polish language while for IB DP English is used (French and Spanish are not used for it in Poland). Some websites were in English, some in Polish, some had two language versions. Usually parents know only Polish, students and teachers know both languages but using Polish for IB DP-related tasks may be difficult for them. Let’s assume that everything is in one language, this problem affects only real life and not this post.

What’s more interesting, we cannot measure how successful the websites are. It is impossible to determine how changes in the website would affect the number of new IB DP students in a given school. Using the above list of materials useful for particular groups of people, most of these websites may be considered worthless. So let’s assume that brochureware websites work if they can be found. So the position in a search engine search determines it.

Search engines index content. They prefer content to which useful sites link. So publicly available learning materials are good for this, since others might find them useful and link to them.

It has another advantage – people completely unrelated to IB DP might use it. Most popular search queries for my school’s website were for short stories usually read in gimnazja, schools immediately before secondary schools. We had these short stories also at IB DP Language A1. So I believe that a student might want to attend a school which published material which they used before? Maybe it is known for MIT but not for IB DP schools in Poland.