Island Web Works

World politics and web design are two unlikely bed-fellows, but if you have used a web-form with a list of countries, or are living in a “semi-recognised” country (for example, The Isle of Man), you will appreciate the issues. Add to the equation the complications of postage, taxes, sanctions and embargos and it can get quite complicated.

Defining countries can be a sensitive issue, with some countries not being recognised by others and local usages and naming styles also causing problems. That is why we lean towards the formal when we work with lists of countries. We use accepted international standards as a source for our lists, which allows us to take a widely accepted view of country names around the world, hopefully without causing offence.

This list presents us with problems, however. Consider the screenshot below from a list of countries for a large site we are currently working on:

'Leaking' drop down list with wide country names

The first problem is the large amount of horizontal space used by the entries, which causes the drop down list to be expanded artifically. This makes it difficult to fit in some designs. This is highlighted by the purple arrow. This width is determined automatically by the longest entry in the list, in this case “MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF”. Far be it from us to assert our right to change a country’s name, we need to hit a compromise. This can either be changing the design to accommodate the wider data or - at a last resort - changing the data (in this case, we could use the commonly accepted “FYR” abbreviation).

I was asked why all the countries are in capitals. “Well, that’s how they come in from the original standard”, I replied. The thing is, capitals require wider horizontal space and it does feel like you’re shouting. I imagine the ISO standard is capitalised to avoid another thorny issue; what exactly should be capitalised in a country name? While “Macedonia, The former Yogoslav republic of” may be technically correct, it may not be politically correct. We decided to stay with the CAPS. Another reason to stick with the CAPS is because users are traditionally used to seeing country lists in capitals. When was the last time you entered your country and it was lower-case? By retaining capitals, we build on this albeit uncomfortable convention.

Semi-recognised Countries and transient states are also difficult to navigate. The world is constantly changing and countries are born, extinguished and forgotten even in modern politics. On The Isle of Man, we are in a position that is little understood away from its shores. While we are a crown dependency, and a country, we are not regarded as a sovereign state. So, we tend to be lumped into “United Kingdom”, even though technically, we’re not actually in the UK. Web users on the Isle of Man have become used to going for “United Kingdom”, as opposed for hunting down the Isle of Man within the “I”s.

I remember this being particularly contentious when I was working for an e-Commerce web-site provider. While we should provide “Isle of Man” as a country option for reasons of correctness, postage, etc., we couldn’t rely on that data being correct because Isle of Man users may just be used to using “United Kingdom”. If we avoid including “Isle of Man” from the selection, we might have incorrect data, but at least it isn’t inconsistent.

It can be a minefield, as you are always keen to avoid offending your users at the very least in trying to create a positive web experience. It’s also important to lean towards convention when designing user experiences, as your experience is only one in hundreds that may have used and millions on the wider internet.

Nathan Web Site Development User Experience (UX), Web Design

The internet is a great medium for users to be able to access choices in just about anything they can think of. One of these choices is the application used to browse the web, the web browser. There have been battles in this area for years, often resulting in court action and sometimes in the demise of the product. Just like you “know” your detergent is better than all the others, you also know your chosen web browser is the most secure, fast and friendly browser available.

There are a number of web browsers available at the moment, such as the incumbent market leader Microsoft Internet Explorer and the “new kid on the block”, Google Chrome. Other browsers exist, each targeting specific features such as speed, platform (mobile phones, etc.) or privacy. The chart below from MarketShare illustrates the performance of each browser in the last 2 years or so. (Download the PDF)

Browser version market share since July 2008 (click to zoom)

As various versions of the web browsers are released and market-affecting court action is announced, it is clear how browser share is affected, particularly with the decline of Microsoft Internet Explorer version 6 and 7 (towards version 8 ) and the increase in adoption of alternative browsers. The recent European Court ruling that users should be given a choice has resulted in Windows 7 users being presented with a browser election screen will be more forceful in that choice, giving users who wouldn’t otherwise be aware of alternatives the opportunity to move away from the “operating system browser”, Internet Explorer.

This choice is good for the user, but presents us with challenges. We need to embrace the latest technologies such as those offered by HTML5, but this needs to be tempered by implementation of those technologies by browsers and ability for older browsers to be able to provide an equivalent experience for users. A challenge any web developer [should] have is being able to facilitate users of Internet Explorer 6 (”IE6″). IE6 has been around for years. Shipped as part of Microsoft Windows XP, it is “stuck” in that users of Windows 2000 who upgraded to IE6 cannot upgrade to IE7 and corporate/enterprise users can’t perform upgrades themselves and as such are restricted to whatever the IT department dictate. Therefore, there will be a “hardcore” contingent of IE6 users for years to come yet, particularly as official support for Windows XP (and therefore IE6) only ends in July. These users need to be catered for, regardless of your market persuasion.

This morning, Scott Hanselman drew attention to a CNN article claiming that Internet Explorer 6 was about to die for good, having decreased to 4.7% of browser market share in the US. This seemed to be very optimistic, based on the figures we have seen.  Our understanding, provided by MarketShare and being a global metric, is that IE6 continues to retain 17.13% of the browser market share. (Which also illustrates the disparities in statistics collection) So while its death is surely coming, it’s too early to arrange the wake and we will continue to support IE6 in the meantime for the sites we develop.

Nathan Web Site Development Google Chrome, Internet Explorer 6, MarketShare, Scott Hanselman, Windows 2000, Windows 7, Windows XP

Can you remember the last web-form you completed on a web site? Can you remember what you entered? My guess is that it was at least a username or email address and a password. Now imagine what a malicious user who “listened in” to your input could access. The odds are that you used the same password as most other sites you visit, just to get it done. So you’ve just compromised not only the site you logged in or registered with, but just about any account you have online. If I was a hacker, I’d start expanding my attack to big players, like Facebook, Twitter and maybe a few banking sites, just for a laugh.

Everytime you complete a web-form on a web site, you are placing a lot of trust in the various parties involved in that connection to the internet, and you won’t know about all of them. Consider the following parties involved in your web-form submission:

Your own computer: When was the last time you did a virus/mal-ware check, and with up-to-date definitions? Viruses are no longer bits of code that produce cutesy messages and graphical effects, they are silent, subversive and distributed. If you have a virus that logs your keystrokes, it could be sending every keystroke to computers all over the world. Your secure connection and password is now useless as basic pattern matching can reveal you just entered your email address and password on a particular web-site.

Between you and the web-site: When a relative reacted with surprise that her emails were not secure, I realised that if you are not internet-savvy, users will approximate their interaction with services and users on the ‘net as the closest thing they have experience to - a telephone call, or a letter. Between your email client or web browser and the recipient or web site is an essentially infinite number of connections consisting of cables, routers, switches, servers and firewalls  none of which can be trusted. Each and everyone of these can look at your submission and store it for later use. Of course, no ISP or internet routing agent would do this - knowingly - would they?. That’s why HTTPS was developed, which creates a secure, encrypted and certificated connection between parties. But HTTPS only works if you have sufficient trust in the issuer of the certificate, the certificate is itself valid, the submission of data is also encrypted (your URL may say “https”, but your submission may go in “plain-text”, using “http”). Which one of us checks all this before sending our data?

The web site: While you may like to think we only go to reputable web-sites, there are times when we stray off the well-trodden path to buy that unique gift, sign up for that cool service, etc. When you submit details to a web-site, you are placing trust in that site to capture that information and securely store it. We like to think that our submission goes straight into the database, never to be seen again except electronically when we need it - but what guarantee have you? Without looking at the source-code of the web-site, which would challenge even the most technical of users, you would never know if they were harvesting passwords, credit card numbers, selling email addresses, etc. And what if some malicious software has infected the site itself?

The authorities: The digital revolution is occurring very fast, and faster than the authorities can keep up. Public authorities, whether executive, law-enforcing or intelligence-gathering all have a degree of inertia as they are always playing “catch up”. This results in rapidly developed legislation, which is not always well thought through. Consider the Regulation of Investigatory Powers (RIP) Act 2000, or the Digital Economy Bill currently rushing at light speed through parliament as I type so it completes before the General Election. Such legislation is often rushed at the cost of adequate and fair consultation and implementation. Your data is subject to searching, retrieval and submission by your ISP and nominated public authorities.

As a company specialising in quality web-sites, we are aware of issues such as security and trust when users enter data in web-forms. While it isn’t possible to manage the entire communication (for example, we could never check your own computer remotely!) we will do what we can by adopting best practices in capturing your data and storing it securely. Recent projects we have worked on require highly sensitive information, which are central to the user’s identity and the viability of a business as an agent of trust. Therefore, it is essential that we implement everything we can to manage the risk of compromising of data.

Our approach starts with recommending clients who have a web-form which requests sensitive data (including username and password) purchase an HTTP/SSL certificate. This encrypts and signs the communication and acts as one layer of trust. When we store passwords, we store them in a hash, so they cannot be restored. So your password cannot be recovered even if the database was compromised. (This is why it can often be a pain to retrieve a forgotten password from some sites - they don’t know your password either, so need to prove your identity first before resetting it for you.) We employ best practices in anti-cracking to prevent or restrict the opportunity and effectiveness of techniques such as buffer overflow, cross-site scripting and cross-site request forgery. Finally, we recommend how the hosting infrastructure is implemented, so security is reflected physically. This involves splitting servers across firewalls to limit the possibility of a compromise and the extent of damage should it occur.

No web-site can be 100% secure. Working with user-submitted data is about managing risk, rather than preventing it. There are many techniques that can be adopted ranging from technical to the social. You might not realise it, but these tools are already in use at sites you regularly visit. Online banks use subtle techniques when asking for your memorable word to defeat key-loggers, web-sites use CAPTCHAs to prevent automated attacks and login forms don’t differentiate between “unknown username” and “unknown username and/or password” to avoid publicising that an account exists to try and crack. There is a toolkit of anti-cracking techniques, the strength of the professional is employing them tactically and effectively for the application.

Nathan Web Site Development Security

Developing a Web Site can be great fun and an opportunity to show the world what you can do in a modern and accessible format. But before you get started, it’s important to consider how to develop your requirements of the site. Have a look at these 10 tips to help you get started:

1. Appoint a Project Lead for the web site. This helps you form a coherent project with a central point of contact and responsibility. It helps us because we know we can talk to them and use them as a “channel” into the business.
2. Have you thought of the “back office“? Many sites, particularly e-Commerce sites, require support behind the scenes to track stock, monitor user submissions to the site and more mundane issues such as who is responsible for receiving contact requests from the site.
3. Make sure you have a clear purpose for your web site. Is it a brochureware site where visitors can find out what you’ve got to offer? Is it an extranet site that extends your internal business system(s),  helping both you and your customers? Or is it a e-Commerce site that needs to make a profit in its own right?
4. What is the site’s target audience? Are they young, old, professionals or casual shoppers? This will help decide what kind of user interface is appropriate, and what design style will work best.
5. Keep in mind increasing legal requirements for accessibility for hard of hearing or partially sighted users who may require larger text/contrasting colours or browse using alternative platforms such as braille or speaking browsers. 
6. Do you have a marketing campaign for your new web site? Remember to add your web site to all your stationery, outgoing emails and branding to embed your web site address (URL) into the minds of your [potential] customers.
7. How will the site be maintained? Will it be updated regularly? If so, you can use a Content Management System to manage your own content, such as our ACTMaster CMS.
8. How will you measure the effectiveness of your site? We can help configure statistics and analytics to help you quantify visits, but this goes hand in hand with less quantifiable analysis such as asking your new customers if they found you through your web site.
9. How interactive will your site be? While techniques such as Flash are great for users who have it, some information is better presented in a page of text - especially for optimising for search engines.
10. Having a look at how other sites look and feel can help a lot. A great starting point is our Portfolio of recent sites to help get some ideas and form a starting point for your own site.

Andreas Web Site Development Accessibility, Flash, Marketing, Tips