Island Web Works

We’ve written about the upcoming EU’s European e-Privacy directive regarding HTTP cookies once before (http://blog.island-webworks.net/2011/03/the-way-the-cookie-crumbles), and we didn’t exactly come down on the positive side of this upcoming legislation. However, the law is passed and will come into effect later this month, so we thought we’d better find a way to comply without reducing the usability of our web sites.

The challenge set by the e-Privacy directive is that any web site operating within the EU will have to clearly state what cookies they want to set and how they’re to be used. Only after getting explicit consent by the user would a web site be allowed to set any cookies¹ on the users machine.

So, in order to use cookies you now really need to set another cookie to store the user’s preferences, which ironically means that if the user denies the use of cookies, you have no legal way of storing that user preference in a cookie and will have to keep nagging those users every time they visit your web site.

Unobtrusive nagging

Taking the above into account, it was clear that an unobtrusive method of alerting the user was required – something that could be displayed on every page without impacting on the user experience. After some thinking we decided to use a discreet info bar appearing at the bottom of the web page.

An info bar appearing at the bottom of the page to highlight that cookies might be used.

The info bar would state that we wish to set some cookies and ask if the user would be ok with that. By clicking the ‘Tell me more’ link an information window would appear.

On clicking the information bar's 'Tell me more'-link, a window with detailed information appears and gives the user the option of accepting or denying the use of cookies.

This information window is where the user either accept or deny the use of cookies for this site. The bottom paragraph also points out that if the user don’t accept cookies, we would have to ask them every time they visit.

Since this is a procedure the user will probably only want to go through once, the system is designed to be easily ignored. The info bar can be closed without further ado by clicking the close button, or it can be ignored completely without affecting the usability of the site.

However, the main problem with the new legislation remains: only a very few visitors will ever explicitly approve the use of cookies, which essentially means that the use of tracking technologies like Google Analytics is going to become more or less obsolete in the Eurpoean Union. That’s quite a blow to any organisation trying to improve their web sites to better suit their visitors’ needs!

1) The term “cookies” refer to any kind of file stored on a users computer in order to track that user. As such, this also includes so called Flash cookies.

Andreas Web Site Development Cookies, e-Privacy directive, EU

Microsoft have steadily been losing browser market shares ever since Mozilla introduced its Firefox browser, dropping from an impressive 91% in 2004 to a humbling 56% in January 2011. Microsoft’s release of IE7 in 2006 and IE8 in 2009 didn’t do much to stop this decline, especially with Google Chrome entering the arena in 2008, but with their latest browser Internet Explorer 9 they hope to turn the trend. So what can we expect from this new browser?

Pin a web site to the taskbar to access a jump list of links to key areas of the site.

Well, with version 9 IE is much more compliant with web standards (95/100 in Acid3, up from 21/100 for IE8), which means web designers hopefully won’t need to implement IE specific code to get their web sites to display correctly in IE9. It also supports the latest versions of style sheet and markup languages (CSS3 and HTML5), so it should be fairly future proof. In addition, IE9 is much quicker to render web pages and it sports a new font rendering engine which makes text appear nice and smooth. The user interface has also been overhauled, with a slimmer and more streamlined appearance and some nice new features like pinning sites to your taskbar for additional functionality (Windows 7 only).

This all sound good, and most IE users will probably upgrade, especially as it will be part of Windows Updates later this month. However, a problem arises for users of IE6. Since IE9 is only available for Windows Vista/7, and all IE6 users are on Windows XP or older, they are stuck and can’t upgrade. This is particularly annoying since Microsoft have launched their ‘The Internet Explorer 6 Countdown’-campaign urging people to move away from IE6 and upgrade, but the only version on offer is the already 3 year old IE8.

Education - not dictation

We at Island Web Works are all for putting an end to the usage of IE6, but we won’t be putting Microsoft’s ‘Upgrade your browser now’-banners on any of the sites we produce. Getting IE6 users to upgrade to IE8 is not a solution, as they would still be stuck with an obsolete browser. Instead, we would rather educate people about the benefits of upgrading from Windows XP to Windows 7, something that is already happening in the private sector as people replace old PCs with new ones.

In the corporate sector however the situation is slightly different. Apart from the cost of upgrading multiple workstations, there might be legacy applications in use that only work in Windows XP/IE6. Luckily there is a solution available. Windows 7’s XP-mode allows you to run legacy software in a pre-installed virtual PC application, which comes complete with a licensed version of Windows XP. This makes running legacy applications a doddle, and should allow businesses to take the plunge and upgrade to Windows 7/IE9.

XP mode - old and new in perfect harmony

So, the signs for the IE9 are encouraging, and with more than 40 million downloads so far it has stopped the downwards trend of IE. It is still early days, but Microsoft seem to have created a modern and solid browser, which hopefully will replace the older IE versions as soon as possible and allow the web to become standardised.

Andreas Web Site Development Internet Explorer 6, Internet Explorer 9

In the beginning of the World Wide Web, developers discovered that in order to get web shops to work properly they needed to store little pieces of user information. To solve this problem, they invented the HTTP cookie – small text files sent from the web site to the browser, stored on the users local machine, and available to be retrieved by the web site.

This soon caused controversy with users panicking about their personal information being accessible to malicious web sites to track their browsing activities. In response, browsers had settings added to them allowing users to not store any cookies, or only cookies they trusted. The dust settled, the web matured and today many sites (including Google, Facebook and YouTube to mention just a few) use cookies to allow users to login to their personal web site accounts, or to enhance the user experience.

However, this is soon to change: the EU’s European e-Privacy directive that comes into effect on 25 May this year states that the use of cookies and similar technologies will need explicit permission from the web site visitor. This means that web site owners can no longer rely on the user’s browser settings to see if they will accept cookies.

What consequences will this legislation have? Well, firstly, owners of web sites operating within the European Union will have to make sure that their web sites provide clear and comprehensive information regarding the use of cookies. This includes stating why cookies are used and how the information is processed. The web site also need to give the user the option of opting out, and making sure no cookies are then dropped on the users machine.

Secondly, the web browsing experience for the user will become more complicated and cumbersome, where the user will have to actively approve the use of cookies whenever he/she arrive at a site. Expect to see a dramatic increase in popups and mandatory checkboxes all over the web. Also, if users make the “wrong” decision and block cookies by mistake, they can expect only a subset of the features on the web site to be available due to technical and/or financial limitations.

And thirdly, the only sites not affected by this are the ones who deliberately ignore regulations anyway in order to spread 3rd party tracking cookies to collect as much data as possible. Ironically, they will be the sites that are the simplest to use, potentially tricking users to believe that they are browsing on a safe site, which I don’t believe was the original purpose of the directive.

Additionally, any extended development requirements could result in extended development time, which in turn would increase project costs. A way to avoid this would be to use technologies such as ASP.NET in cookie-less operation mode. Luckily, this is the default language in use by us in Island Web Works.

Sites hosted outside the European Union are not affected by these regulations, but similar proposals are being supported by the US Federal Trade Commission, so it might only be a matter of time before this applies to most web sites. This could well be the beginning of the end for the humble HTTP cookie.

Andreas Web Site Development Cookies, e-Privacy directive, EU

We’ve blogged before about how you know whether to trust a web-form. We highlighted that sites capture personal information and often ask you for a username, email address and/or a password. The odds are that you will use the same password on the site as you have on many other sites. Everyone does it, right?

Once you have registered with the site, after convincing yourself of a certain level of trust in the site owner, you might not think that even if the infrastructure of the site is sufficiently secure that no-one could ever hack in to your personal data, that the site would then broadcast – in plain text – your username and password. That would be crazy!

This is what recently happened to me. While using a leading retailer’s online presence, I was sent a “courtesy” email containing my username and password.

But if they emailed you the details, that’s private, surely? Not at all. If someone knows enough about you they may have a good attempt to hack your email password and they then know an awful lot more than a few passwords. Equally, I often have to explain to people that email is not like a telephone conversation. Your emails get passed, bounced, redirected and filtered through any number of servers before it gets to the recipient’s inbox and it is all in plain text. Every one of those servers (and there is no policing of what servers may be allowed to route across the internet) can take a copy of your email. The recipient’s machine may already be compromised by malicious code such as viruses, harvesting personal data and transmitting it “back to base”.

So what’s the answer?

The User’s responsibility

It’s easy to say you should have different passwords for different web-sites. I’m betting you wouldn’t be able to name all the web-sites you registered with in the last month, let alone remember the unique passwords you applied to each of them!

There are options available, though. You could create a tiered list of passwords. High-security passwords for your email (distinct from your banking), moving down to weaker and easier to remember/relate for less important/trusted sites such as forums, etc. It would certainly be a good idea to keep separate passwords for your email, banking and any sites that store your credit card information. Maybe another password for your social media life (Facebook, Twitter, etc.) and “throwaway” passwords for other sites which you may not even return to.

Another option is to use a tool such as KeePass or LastPass. These securely store your password either locally on your machine in a heavily encrypted file or on the cloud, so you can access your passwords anywhere. KeePass is particularly useful when working with particularly secure passwords such as server login details as you can add multi-factor authentication (eg. a USB key). LastPass is more orientated around the web-user, providing browser extensions that help retain form information including passwords. This allows you to generate unique passwords as you need, or at least manage a larger number of passwords that you use infrequently.

The Web-site’s responsibility

The web-site’s responsibility is two-fold. First, it must store your password securely, second it must not compromise that password.

Storing your password securely ideally means generating a one-way hash from it. Your password is taken (over a secure HTTPS connection, of course) and put through a mathematical algorithm which produces a seemingly random sequence of bytes. So a password “LetMeIn” becomes “bc9d9cb353c87531f61d6f21d5cc072e”. What’s important is that this method is different from encryption because it is not feasibly possibly to reverse the output sequence of bytes back to the original password. Your imaginative password remains secure! However, depending on the algorithm used, this is not without its problems. The possibility of collisions (multiple passwords generating the same hash) and ability to authenticate using a hash (meaning you only need the hash, not the original password) can pose problems for site owners. It’s up to them how they work with these risks, if they are deemed sufficiently important. Some sites may use encryption, but encryption is reversible and all you need are the keys. There should be no reason why a site would need to know the original password.

While a web-site may be hosted in secure data-centres, with ISO certification, behind firewalls, PCI policies and the like, these measures are rendered useless if your password is compromised. Unfortunately, this happens a lot in sites, as we have seen above. Many sites send your details out in an email, which may be hacked into or “wire-tapped” by an intermediate server or process. (Paradoxically, it is actually more secure to display your password back to you on the screen over an SSL connection than to send it in an email. The downside for the site owner is that this often requires a lot more effort.)

As the site owner doesn’t “know” your original password, actions such as emailing you your forgotten password become impossible. This is why sites send you “activation links”, which have time limits. You request your password using known information (essentially publicly available) such as your email address, which is used to send a unique code that may be clicked on for you to enter a new password. This is protected by your email password (you need access to your email to click the link), is often time-sensitive (the link will only work for an hour or so) and when using SSL is encrypted. This is always the method Island Web Works recommends our clients to use.

Remember, it only takes one compromise in security to trash a brand.

admin Articles, Web Site Development

You’ve all seen them. As you’re browsing a web site you want to register/submit feedback/post a comment, so you start to fill in the form. Then, just as you’re completing the final required fields you are presented with a string of obscure characters that you need to decipher in order to continue. It’s called a CAPTCHA and it doesn’t believe you’re real.

Come on! That's too easy!

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and it is used to prevent web bots from using the form. If you own/manage a web site with a web form you are probably aware of the problem of spam - non-valid posts that range from annoying to damaging. Since spam posts are generated automatically by web bots it can easily outnumber the valid posts and drown out any useful information. In extreme cases over 90% of all the posts from a web form can consist of spam. This makes managing the responses from your web form very demanding, so different methods have been used to filter out non-human responses.

A study in spam

Recently, we hit that particular problem with our own web site. We have a ‘call to action’-form where the visitors can request further information about the services we offer. As expected, without any kind of filtering mechanism we got a huge number of spam posts, so we decided on adding a CAPTCHA to the web form.

First, we wanted to try a more transparent version, with no obvious CAPTCHA visible to the user. Method one consisted of a invisible input field which – if filled in – would invalidate the form post. The logic behind this was that web bots would see the invisible field as just another form field, and since they usually fill in all fields in a form to make sure they covered the required ones they would inadvertently expose themselves as bots. This worked to a degree, but we still got too many spam posts through.

The next solution was based on a time delay filter. Even the fastest human being would not be able to fill in and submit our web form in less than 5 seconds. By contrast, a web bot would typically complete this task in a fraction of that time, so by filtering out posts generated in less than 3 seconds we should get rid of most spam. Again, this did reduce the amount of spam, but not enough to bring it down to acceptable levels. We’re guessing that web bots might be using a delay of their own before submitting the form in order to mimic a human response.

Final CAPTCHA

In the end, we resorted to implementing a classic text-based CAPTCHA. However, in order to avoid frustrating our users we’ve made it as simple as possible, with only a few characters and very little background noise. Interestingly, even such a basic CAPTCHA has stopped 100% of all spam so far!

How long is a piece of string?

Even if the results of our little test speak for themselves, we are not suggesting that the only good CAPTCHA is a text-based CAPTCHA. It is more a matter of what works for each particular site. What’s more, there are compliance issues with text-based CAPTCHAS where screen readers could potentially struggle to help the user submit the form. Adding an audio code function which reads out the CAPTHCA code would help, but it’s not an ideal solution.

Another method which we want to test in the future is image-based CAPTCHAs: the user would be presented with a collection of images, and then asked to click on a particular image. This could prove to be the least frustrating CAPTCHA for the user, but it requires a huge database of pre-vetted pictures which might make it unsuitable for smaller projects.

In the end, any type of CAPTCHA will make the submission of your web form more difficult, so it is important to strike a balance between acceptable levels of spam and sufficient levels of human form submissions. We’ll keep testing different approaches and post the results, so watch this space!

Andreas Web Site Development CAPTCHA, spam, Turing

As you might have noticed, we’ve made some changes to the Island Web Works web site lately.  Apart from redesigning the look and feel (more on this below), we have moved the Business intelligence section containing CRM, BPR and consultancy to its own web site under the name of Circle².  The reason for this is to allow the Island Web Works site to focus on its primary function: offering web design services.

Redesigning the Island Web Works site

When we started discussing the requirements for the new Island Web Works site, we quickly agreed that the new site needed a new look.  The old site had been online for quite a while and had started to look a little dated.  We wanted to make the new site feel more open, which meant abandoning the old layout with a centered column down the middle of the page.  Instead we opted for a design that spanned the whole width of the page, although we kept the content to the center part to give the site some white space in the margins.

Another issue was the Island Web Works logo.  As you can see at the bottom of this post, it consists of a yellow band with the company name in blue on top.  Whilst the logo is eye-caching and has served us well, its colour scheme limits how it can be placed in a design.  Our solution was simply to reverse the logo and remove the band, which made it possible to place it in the carbon-fibre textured header.  The colours were instead represented by a yellow line running through the header and the blue in the cloudscape below the header.

We also made the decision to get rid of the Flash animation and replace it with standard Javascript.  The reason for this are the SEO (Search Engine Optimisation) limitations of Flash and - more importantly the meteoric rise in the use of smart-phones for browsing the web.  Even though some phones support Flash, many - such as the Apple devices do not. Additionally, by using Javascript instead we wouldn’t require a special mobile site.

Designing the Circle² web site

The new Circle²site use a similar layout, but has been designed in a more corporate style to fit its main purpose - promoting our business intelligence services and products.  Since the Circle² logo is in black and orange (or white and orange when inverted), we chose to balance these energetic colours by using a calm dark blue backdrop for the header and footer sections.  And, again, we opted to not use Flash animations to maintain smart-phone and SEO compatibility.

Connexions™ Content Management

Both sites are built using our new Connexions™ Social Content Management solution, which offers full control over all content.  Also, as a matter of course, we made sure that the sites work in all major browsers, including Internet Explorer 6, 7, 8 and 9, Firefox, Chrome, Safari and Opera.

Visit Island Web Works

Visit Circle2

Andreas Web Site Development Browser compatibility, Circle2, Flash, Island Web Works

World politics and web design are two unlikely bed-fellows, but if you have used a web-form with a list of countries, or are living in a “semi-recognised” country (for example, The Isle of Man), you will appreciate the issues. Add to the equation the complications of postage, taxes, sanctions and embargos and it can get quite complicated.

Defining countries can be a sensitive issue, with some countries not being recognised by others and local usages and naming styles also causing problems. That is why we lean towards the formal when we work with lists of countries. We use accepted international standards as a source for our lists, which allows us to take a widely accepted view of country names around the world, hopefully without causing offence.

This list presents us with problems, however. Consider the screenshot below from a list of countries for a large site we are currently working on:

'Leaking' drop down list with wide country names

The first problem is the large amount of horizontal space used by the entries, which causes the drop down list to be expanded artifically. This makes it difficult to fit in some designs. This is highlighted by the purple arrow. This width is determined automatically by the longest entry in the list, in this case “MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF”. Far be it from us to assert our right to change a country’s name, we need to hit a compromise. This can either be changing the design to accommodate the wider data or - at a last resort - changing the data (in this case, we could use the commonly accepted “FYR” abbreviation).

I was asked why all the countries are in capitals. “Well, that’s how they come in from the original standard”, I replied. The thing is, capitals require wider horizontal space and it does feel like you’re shouting. I imagine the ISO standard is capitalised to avoid another thorny issue; what exactly should be capitalised in a country name? While “Macedonia, The former Yogoslav republic of” may be technically correct, it may not be politically correct. We decided to stay with the CAPS. Another reason to stick with the CAPS is because users are traditionally used to seeing country lists in capitals. When was the last time you entered your country and it was lower-case? By retaining capitals, we build on this albeit uncomfortable convention.

Semi-recognised Countries and transient states are also difficult to navigate. The world is constantly changing and countries are born, extinguished and forgotten even in modern politics. On The Isle of Man, we are in a position that is little understood away from its shores. While we are a crown dependency, and a country, we are not regarded as a sovereign state. So, we tend to be lumped into “United Kingdom”, even though technically, we’re not actually in the UK. Web users on the Isle of Man have become used to going for “United Kingdom”, as opposed for hunting down the Isle of Man within the “I”s.

I remember this being particularly contentious when I was working for an e-Commerce web-site provider. While we should provide “Isle of Man” as a country option for reasons of correctness, postage, etc., we couldn’t rely on that data being correct because Isle of Man users may just be used to using “United Kingdom”. If we avoid including “Isle of Man” from the selection, we might have incorrect data, but at least it isn’t inconsistent.

It can be a minefield, as you are always keen to avoid offending your users at the very least in trying to create a positive web experience. It’s also important to lean towards convention when designing user experiences, as your experience is only one in hundreds that may have used and millions on the wider internet.

Nathan Web Site Development User Experience (UX), Web Design

The internet is a great medium for users to be able to access choices in just about anything they can think of. One of these choices is the application used to browse the web, the web browser. There have been battles in this area for years, often resulting in court action and sometimes in the demise of the product. Just like you “know” your detergent is better than all the others, you also know your chosen web browser is the most secure, fast and friendly browser available.

There are a number of web browsers available at the moment, such as the incumbent market leader Microsoft Internet Explorer and the “new kid on the block”, Google Chrome. Other browsers exist, each targeting specific features such as speed, platform (mobile phones, etc.) or privacy. The chart below from MarketShare illustrates the performance of each browser in the last 2 years or so. (Download the PDF)

Browser version market share since July 2008 (click to zoom)

As various versions of the web browsers are released and market-affecting court action is announced, it is clear how browser share is affected, particularly with the decline of Microsoft Internet Explorer version 6 and 7 (towards version 8 ) and the increase in adoption of alternative browsers. The recent European Court ruling that users should be given a choice has resulted in Windows 7 users being presented with a browser election screen will be more forceful in that choice, giving users who wouldn’t otherwise be aware of alternatives the opportunity to move away from the “operating system browser”, Internet Explorer.

This choice is good for the user, but presents us with challenges. We need to embrace the latest technologies such as those offered by HTML5, but this needs to be tempered by implementation of those technologies by browsers and ability for older browsers to be able to provide an equivalent experience for users. A challenge any web developer [should] have is being able to facilitate users of Internet Explorer 6 (”IE6″). IE6 has been around for years. Shipped as part of Microsoft Windows XP, it is “stuck” in that users of Windows 2000 who upgraded to IE6 cannot upgrade to IE7 and corporate/enterprise users can’t perform upgrades themselves and as such are restricted to whatever the IT department dictate. Therefore, there will be a “hardcore” contingent of IE6 users for years to come yet, particularly as official support for Windows XP (and therefore IE6) only ends in July. These users need to be catered for, regardless of your market persuasion.

This morning, Scott Hanselman drew attention to a CNN article claiming that Internet Explorer 6 was about to die for good, having decreased to 4.7% of browser market share in the US. This seemed to be very optimistic, based on the figures we have seen.  Our understanding, provided by MarketShare and being a global metric, is that IE6 continues to retain 17.13% of the browser market share. (Which also illustrates the disparities in statistics collection) So while its death is surely coming, it’s too early to arrange the wake and we will continue to support IE6 in the meantime for the sites we develop.

Nathan Web Site Development Google Chrome, Internet Explorer 6, MarketShare, Scott Hanselman, Windows 2000, Windows 7, Windows XP

Can you remember the last web-form you completed on a web site? Can you remember what you entered? My guess is that it was at least a username or email address and a password. Now imagine what a malicious user who “listened in” to your input could access. The odds are that you used the same password as most other sites you visit, just to get it done. So you’ve just compromised not only the site you logged in or registered with, but just about any account you have online. If I was a hacker, I’d start expanding my attack to big players, like Facebook, Twitter and maybe a few banking sites, just for a laugh.

Everytime you complete a web-form on a web site, you are placing a lot of trust in the various parties involved in that connection to the internet, and you won’t know about all of them. Consider the following parties involved in your web-form submission:

Your own computer: When was the last time you did a virus/mal-ware check, and with up-to-date definitions? Viruses are no longer bits of code that produce cutesy messages and graphical effects, they are silent, subversive and distributed. If you have a virus that logs your keystrokes, it could be sending every keystroke to computers all over the world. Your secure connection and password is now useless as basic pattern matching can reveal you just entered your email address and password on a particular web-site.

Between you and the web-site: When a relative reacted with surprise that her emails were not secure, I realised that if you are not internet-savvy, users will approximate their interaction with services and users on the ‘net as the closest thing they have experience to - a telephone call, or a letter. Between your email client or web browser and the recipient or web site is an essentially infinite number of connections consisting of cables, routers, switches, servers and firewalls  none of which can be trusted. Each and everyone of these can look at your submission and store it for later use. Of course, no ISP or internet routing agent would do this - knowingly - would they?. That’s why HTTPS was developed, which creates a secure, encrypted and certificated connection between parties. But HTTPS only works if you have sufficient trust in the issuer of the certificate, the certificate is itself valid, the submission of data is also encrypted (your URL may say “https”, but your submission may go in “plain-text”, using “http”). Which one of us checks all this before sending our data?

The web site: While you may like to think we only go to reputable web-sites, there are times when we stray off the well-trodden path to buy that unique gift, sign up for that cool service, etc. When you submit details to a web-site, you are placing trust in that site to capture that information and securely store it. We like to think that our submission goes straight into the database, never to be seen again except electronically when we need it - but what guarantee have you? Without looking at the source-code of the web-site, which would challenge even the most technical of users, you would never know if they were harvesting passwords, credit card numbers, selling email addresses, etc. And what if some malicious software has infected the site itself?

The authorities: The digital revolution is occurring very fast, and faster than the authorities can keep up. Public authorities, whether executive, law-enforcing or intelligence-gathering all have a degree of inertia as they are always playing “catch up”. This results in rapidly developed legislation, which is not always well thought through. Consider the Regulation of Investigatory Powers (RIP) Act 2000, or the Digital Economy Bill currently rushing at light speed through parliament as I type so it completes before the General Election. Such legislation is often rushed at the cost of adequate and fair consultation and implementation. Your data is subject to searching, retrieval and submission by your ISP and nominated public authorities.

As a company specialising in quality web-sites, we are aware of issues such as security and trust when users enter data in web-forms. While it isn’t possible to manage the entire communication (for example, we could never check your own computer remotely!) we will do what we can by adopting best practices in capturing your data and storing it securely. Recent projects we have worked on require highly sensitive information, which are central to the user’s identity and the viability of a business as an agent of trust. Therefore, it is essential that we implement everything we can to manage the risk of compromising of data.

Our approach starts with recommending clients who have a web-form which requests sensitive data (including username and password) purchase an HTTP/SSL certificate. This encrypts and signs the communication and acts as one layer of trust. When we store passwords, we store them in a hash, so they cannot be restored. So your password cannot be recovered even if the database was compromised. (This is why it can often be a pain to retrieve a forgotten password from some sites - they don’t know your password either, so need to prove your identity first before resetting it for you.) We employ best practices in anti-cracking to prevent or restrict the opportunity and effectiveness of techniques such as buffer overflow, cross-site scripting and cross-site request forgery. Finally, we recommend how the hosting infrastructure is implemented, so security is reflected physically. This involves splitting servers across firewalls to limit the possibility of a compromise and the extent of damage should it occur.

No web-site can be 100% secure. Working with user-submitted data is about managing risk, rather than preventing it. There are many techniques that can be adopted ranging from technical to the social. You might not realise it, but these tools are already in use at sites you regularly visit. Online banks use subtle techniques when asking for your memorable word to defeat key-loggers, web-sites use CAPTCHAs to prevent automated attacks and login forms don’t differentiate between “unknown username” and “unknown username and/or password” to avoid publicising that an account exists to try and crack. There is a toolkit of anti-cracking techniques, the strength of the professional is employing them tactically and effectively for the application.

Nathan Web Site Development Security

Developing a Web Site can be great fun and an opportunity to show the world what you can do in a modern and accessible format. But before you get started, it’s important to consider how to develop your requirements of the site. Have a look at these 10 tips to help you get started:

1. Appoint a Project Lead for the web site. This helps you form a coherent project with a central point of contact and responsibility. It helps us because we know we can talk to them and use them as a “channel” into the business.
2. Have you thought of the “back office“? Many sites, particularly e-Commerce sites, require support behind the scenes to track stock, monitor user submissions to the site and more mundane issues such as who is responsible for receiving contact requests from the site.
3. Make sure you have a clear purpose for your web site. Is it a brochureware site where visitors can find out what you’ve got to offer? Is it an extranet site that extends your internal business system(s),  helping both you and your customers? Or is it a e-Commerce site that needs to make a profit in its own right?
4. What is the site’s target audience? Are they young, old, professionals or casual shoppers? This will help decide what kind of user interface is appropriate, and what design style will work best.
5. Keep in mind increasing legal requirements for accessibility for hard of hearing or partially sighted users who may require larger text/contrasting colours or browse using alternative platforms such as braille or speaking browsers. 
6. Do you have a marketing campaign for your new web site? Remember to add your web site to all your stationery, outgoing emails and branding to embed your web site address (URL) into the minds of your [potential] customers.
7. How will the site be maintained? Will it be updated regularly? If so, you can use a Content Management System to manage your own content, such as our ACTMaster CMS.
8. How will you measure the effectiveness of your site? We can help configure statistics and analytics to help you quantify visits, but this goes hand in hand with less quantifiable analysis such as asking your new customers if they found you through your web site.
9. How interactive will your site be? While techniques such as Flash are great for users who have it, some information is better presented in a page of text - especially for optimising for search engines.
10. Having a look at how other sites look and feel can help a lot. A great starting point is our Portfolio of recent sites to help get some ideas and form a starting point for your own site.

Andreas Web Site Development Accessibility, Flash, Marketing, Tips