Posts Tagged ‘web’

How *not* to run a business public web site – twoo.com

2015-12-03 07:26:18 PST

Egad, yuck, what a negative experience.

Here, folks, a set of examples of how not to run a business public web site – at least not if one wants to be successful and set a good impression.
All these examples from twoo.com within the last 12 hours (and very little interaction with the site to encounter all these issues and problems):

  • Do a major site transition with radical jaring changes, blast out an email to all your users of the old site that they should login to the new site and activate their account on the new site, and do this just before or right at the beginning of a scheduled maintenance outage … yes, they actually did that – jeez, what idiots (NARS – I think “Not A Rocket Scientist”). So, the user experience? – haven’t used the site in months or more, get this email, go to old site (hey, who knows if the email is legit – it was sent from new domain, not old), old site redirects to new, new … yeah, it’s down for maintenance – planned scheduled maintenance – ugh … idiots. So the new user experience is new site that’s 100% down when visited (at least for the first half hour or more). This also fails the “high availability” criteria – such sites should be high availability – not to mention their other idiocy.
  • At least security sensitive stuff should generally enforce https, or at least support it. And yes, also with valid good strong SSL certs. twoo.com and their ilk/history generally blows it. So, at some point, formspring.me became spring.me, and highly recently, spring.me became twoo.com. My login information I’d saved, was still for formspring.me … whatever, go to formspring.me, redirects to spring.me, redirects to twoo.com down for maintenance page. Retry some hours later … and look a bit more closely. https://www.formspring.me/ – certificate expired (like what, they can’t spend the $10.00 USD per year or so or can’t even bother?). So, if I ignore the expired cert bit, I then find it’s also incorrect cert – the site cert is not for formspring.me, but for spring.me. Not okay, whatever, so they suck, blow through that and see what’s next … I find both https://formspring.me/ and http://formspring.me/ do a 301 (“permanent”) redirect http://spring.me/ – drops the https when redirecting from https. Yet another screw up. So, let’s pick up at https://spring.me/ – egad, idiots! – yet another cert error – the cert on that site is for twoo.com, not for spring.me. So, if we blow past that error, their next idiocy – surprise surprise, yes, they redirect again, but this time only 302 – “temporary” (like what, they’re really planning to bring back spring.me after they’ve already effectively announced their killing of it?) – but not only that, it redirects from https, again to insecure straight http … on the http://twoo.com/ site. And if you go to their login/sign-in page … it’s http … though one can manually force it to use https, but everything on their site defaults to http, and often links back to http, not https.
  • So, finally login on their site and … Do a rough, disruptive transition. formspring.me became spring.me – whatever – not sure how long ago that was, and then highly recently, spring.me became two.com. Everything that was good/unique/interesting with formspring.me (and possibly also spring.me – not sure when that change was) is gone (quite unique question/answer forum & community, etc.), and it’s all been replaced with yet another dating/matchmaking site – pretty much an okcupid.com wanna be – at least as far as I can tell – but a much more stupid, limited version thereof – basically a half-hearted attempt … well, really, not even anywhere close to half, … more like 5 to 10% effort – if even that. A sucky poor version of what they apparently wannna be, and they dropped everything that was relatively good with what they are. Yep, that’d be a way to kill a business and be stupid and tick off customers/users.
  • So, what the hell, on the site, haven’t logged in in a long time, … not even sure when I last changed password on site, … let’s change password – and, bloody thing defaults to http – so manually force it to https. So, navigate to the password change section, paste in old password, and new password and a second time for confirmation, click the CHANGE button and … nothing. WTF? Click it a whole bunch more times … nothing. Did it change it? Hell if I know. Let’s check. Logout. Try login with new password, it fails – and they also so very unhelpfully and misleadingly, give a message that they’ve emailed me a link to instantly log in – bloody hell, the password change didn’t take, *and* they send me in clear plaintext unencrypted email a URL to instantly login – I requested no such email – after all, that’s what the dang “I forgot my password” links are for, right? But I’d clicked no such link. Whatever, I try the login another time or two – same damn message each time about it sending me an email … oh, which by the way they sent no such emails – so they’re not even consistent with what they say. Bloody heck. So, … try old password again … it authenticates. Try the password change exercise a few more times – each time, same results. Yet another time with the password change interface … and I eventually figure out if one pastes the data in the fields it ignores it – damn friggin’ idiots. Don’t they know smart secure folks use password management, and pick good strong secure passwords, and typically don’t type the damn passwords in? E.g. a typical password of mine might look like yflflwx0)7+CvT0t7y*g … oh, and “of course”, would be different for every friggin’ site, account, etc. – you don’t think I actually memorize and type all those in, or even manually type ’em every time? Now, if my password was something stupid like “secret” and I used it on every friggin’ site, maybe I’d type it … or program it into a hot key on the keyboard or such … but I’m not that stupid nor insecure. Anyway, so, have to actually type the passwords in – or, well, at least the last character of each string – bloody annoying … anyway, do that, and looks like it finally takes it – even has one of those “password strength” indicators – okay, so that very last bit not exactly bad. But then [insert drum roll] click the CHANGE button and …: Internal Server Error – Read The server encountered an internal error or misconfiguration and was unable to complete your request. Reference #3.4d42ddc2.1449152193.16f5aa53 UGH! You gosh darn idiots! Sites ought be able to take secure passwords – that means at least arbitrary ASCII printable characters plus [space] character, and if not arbitrary length, at least quite long – e.g. preferably at least 20 or more characters, and preferably quite a bit more than that (some folks use quite long passphrases), and certainly don’t limit it to something quite short (e.g. limiting to 8 or fewer is generally quite bad), and if one has some specific limitations – e.g. can’t take certain characters, or only allow certain characters, or has some minimum, or maximum, or must have some other construction rules, then preferably state those restrictions up front before one enters new password (like before one has bothered to pick or generate one that doesn’t satisfy the site’s limitations), but if one can’t do that, at least after rejecting a password, state exactly why – if one can’t state the limitations up front, at least state the limitations upon rejection. But bloody hell, don’t just friggin’ outright fail. Idiots. That generally indicates flawed – and often vulnerable code. Oh, geez, and with password input – a security sensitive area? Trust these guys? I wouldn’t trust ’em any further than I could spit ahead of me in a 100 MPH headwind. What a crap site.
Advertisements

Don’t you just hate it when … (whine, grumble … – annoying too common web bugs)

2011-12-11 20:31:37 PST

Don’t you just hate it when …
Well, it’s annoying anyway … website bugs that ought not exist, yet one encounters, e.g. in the last few days:

Registered on a website just fine. Logged off, go to log in again – it fails. Apparently the algorithm used when processing password for registration, and that used for authentication (to log in) don’t quite match, so in some cases a password will work fine to register on the site, but then one can’t use that password to login on the site following a successful registration. And then to top it off, the site’s password reset thingy doesn’t work – its supposed to send an email to the registered email address, … but never does. And yes, the registration “took” – as it wouldn’t let me create it again, as the login/account name already existed if I tried to do it again with same name. “Oh well”, … annoying that. But why must the same types of bugs/flaws be “reinvented”/rediscovered countless times in numerous places? I was hoping “we” might all be evolving a wee bit faster than that. I guess not quite yet, anyway. Oh well, reported the bug, etc., hopefully it’ll get fixed, … and after getting tired of waiting (okay, maybe not a super high priority bug for them), I just reregistered, creating a different account, and using a much weaker password (still moderately strong, but quite a bit shorter, and devoid of all non-alphanumerics) … at least their algorithm could handle that without messing it up.

Don’t you just hate it when …
Web thingy send-a-message type things quite fail to work. E.g. earlier today on OkCupid, … try to send someone a message – fairly long – well under size limit … and it simply fails – with not even any specific diagnostic – it just “chokes”/stalls on it (times out after quite a while). Tried a second, and third time, same each time. Likely something about the length, or specific content (character(s) or specific text patterns?) … in any case, it just wouldn’t work – but even more annoyingly, it would offer no useful information as to why it wouldn’t work. And yeah, I reported the bug to OkCupid – hopefully they’ll get around to fixing it. After enough annoyance, frustration/delay – I did send message to user – but dang short one, saying, well, slightly redacted:

<first name>,

I do quite like your profile. Tried sending you a message … thrice, even, but OkCupid seems to be tripping up on something – and not indicating what (send just stalls indefinitely – I did give
OkCupid a bug report). Hmmm, perhaps email (as work-around, if
nothing else)?
You can email me at:
<my email>
or message me here with your email
or call me, if you prefer:
<my home phone number> (home+msg.)

Yeah, hardly the long(er), more personalized message with content I wished to include … but no idea why OkCupid appeared to be tripping up over it. And silly OkCupid – it doesn’t let one send message to self – so I couldn’t use that to try “divide and conquer” to see if I could isolate it to specific text that might’ve been causing a problem with OkCupid in the attempted send. Oh, and OkCupid’s policy – one account per person – so it’s not like I could even do a test send to myself on some other account. Anyway, reported the bug, blah, blah, blah, … hopefully they’ll get it fixed. Maybe even soon. :-)

Likewise (haven’t bumped into it in a while), with YouTube … likely still the case, but, try to post a comment on a video, with, e.g. a < character in it, and it fails. But that's not the (specific) problem, … it's the way it fails. The diagnostic is nearly useless, it's something like, "Error, try again" … well, trying again fails again in exact same way, but that's what the diagnostic says each time. Geez Google/YouTube, … y'all are smart! :-) … give a (much) better diagnostic, … you know, e.g. "Sorry, can't accept these characters: <…" or whatever – indicate specifically what in the content is being disallowed and preventing the posting of the comment. And yes, I did (much earlier) report that as a bug. Hopefully they've fixed it (or at least will at some point).

And not to pick specifically on, e.g. (particular) vendor, OkCupid, YouTube – they're all quite good … excellent even (but alas, not perfect), … but still, annoying bugs, and all too common (far too commonly encountered also on numerous other web sites).

Okay, I'll get off my soapbox … for now. ;-)