I saw the following post on Facebook the other day and it really demonstrates how important it is to stick to standards on the web, and that nice URLs are far more user friendly.

Which of those links would you click on? If you chose the first you wouldn’t have hit the page The Boileroom were hoping you’d see because the URL uses the | character which Facebook apparently doesn’t think can be part of a URL.

Note how the second link is no more SEO friendly than the first, but it’s definitely more user friendly. I think it’s vital that website designers place as much importance on the URLs used on their sites as they do on aesthetic and SEO considerations. A clean, simple URL looks sharable; it won’t put people off sending the link to their friends and it won’t get broken by websites that don’t cope with every valid character.

Think about how your URLs look, how they will be used, and make sure you design them so that when they get shared they look inviting and actually work, even with poorly written HTMLifier.

I also think that whoever posted this on Facebook needs shooting. Why didn’t they immediately delete this post when they saw that the first link won’t work and repost it using a URL shortener? Social media fail!

It’s 5am and I can’t sleep. When this happens I usually fire up Boxee and find something to watch, so that’s what I did. I was happy to see that since the last time I used it Boxee appear to have added a bunch more internet sources, which is great. However, the following 15 minutes were nearly the most frustrating of my life so far.

I understand regional restrictions. I don’t necessarily agree with the reason they’re there, but I understand why.

What I can’t understand is why they’re not shown up-front when browsing available content. On sites like Joost, Hulu and others you have to actually start streaming content before you get told you can’t view it. They clearly know where you’re coming from but they still insist on not telling you what you can and can’t watch until you actually try.

Maybe there’s a technical reason why it works this way (I can’t think of one that couldn’t be easily worked around), or maybe there’s a licensing reason for it. Whatever the reason it makes attempting to use any of these sites more and more frustrating the more region-limited content they contain.

So here’s my plea… please will these sites make it clear from the highest level possible in the browsable structure whether content is viewable from my current location. That’s all I ask.

Boxee themselves don’t help out with this problem. Take theWB for example. You can’t access the website at all if you’re outside the US (see below), but you can if you use Boxee. Right down to the content level, but when you start streaming you then get a message telling you it’s restricted.

So, Boxee and co… sort it out!!

Twitter promised OAuth support a l-o-o-ong time ago, and it would appear to finally be here. Alex Payne sent a “Call for OAuth beta participants” to the developers list yesterday and had an overwhelming response. This predictably triggered a deluge of tweets and blog posts, but the one that caught my eye was on ReadWriteWeb titled “Why Twitter’s New Security Solution Could Pave the Way to a Future Web of Mashups“.

A number of things disturbed me about this post so I posted a comment or two but I believe the issues involved deserve more attention.

First of all the post asserts that sharing our Twitter password with other websites and applications “makes a lot of us very uncomfortable”. If doing that makes you feel uncomfortable, don’t do it. And this is my main criticism regarding this post. OAuth is being hailed as a solution to sharing your password with third parties, and it is, but it doesn’t protect your account once you’ve given a third party access. And surely the more important message is that if you care at all about the security of your Twitter account you should not be sharing your password with anyone but the Twitter site, an even then only after you’ve checked and double-checked that you’re on the actual Twitter site.

OAuth partially solves the problem in that third parties don’t get your password, but they still get access rights to your account. They’ll still be able to read your direct messages and post tweets and direct messages on your behalf.

The point here is that even with OAuth you are still giving a third party access to your account albeit slightly more limited access. We’re yet to see any details regarding the Twitter implementation of OAuth, and a lot will depend on how fine-grained the permissions system is and how their side of the user experience looks and works, but I think my point is easier to explain with an analogy.

The common analogy used with OAuth is that of a valet key for your car. These are special keys that only allow your car to be drive a few miles at most – just enough to be parked and then brought back to you, essentially giving limited access to the valet. However, consider that you’re still leaving your car with the valet unattended for maybe a few hours. They can get into the car. They can drive it on to a car transporter. They can then take it anywhere they want where they can take it apart to disable whatever security you have until they get full access. You’ve not made your car “secure”, you’ve limited the damage that can be done and made it harder to take it away from you, but if they’re determined you still may never see your car again.

Ok, so the analogy doesn’t completely work since you can’t take a persons Twitter account away with OAuth and gain full access given enough time, but the basic point remains. You’re still giving someone access to your account therefore implying you trust them.

This is known as security theatre which is another way of saying it gives people the illusion of security where the benefits are actually minimal.

OAuth comes with risks as well as benefits, and these are rarely covered. Let’s say I’m a “bad guy” and I want to collect Twitter users passwords. Pre-OAuth it’s pretty easy, you just come up with a viral application and work hard to get people using it. Post-OAuth it’s a little more difficult but how much more depends on how Twitter have imlemented it.

Let’s take the worst-case scenario in which Twitter have used a plain login page for OAuth authentication. I as the “bad guy” write my application so it appears to be taking users to Twitter to authenticate, but in actuality the login page is still on my website. It looks like Twitter, it acts like Twitter, and most enough users will believe it’s Twitter to make it work. Once they enter their username and password I can simulate a login against the actual Twitter site to confirm they’re correct, store them away and take the user to my application just as if they’d signed in on the real Twitter site.

The simple fact that OAuth redirects the user to the Twitter site for authentication allows this phishing attack to be pretty successful.

Now, Twitter can prevent this from happening using a personalisation feature such as allowing the user to upload a secret image that’s then shown to them on the login page. Because only Twitter has that image when a user sees that they know they’re on the real site – various OpenID providers use this system. Let’s hope Twitter has implemented something similar.

Ok, so having read all that you might get the impression I’m anti-OAuth. I’m certainly not. I believe that OAuth will be a great thing for Twitter, but I feel it’s important that all the coverage it’s getting also highlights that there’s still trust involved between the user and the third party. It’s about setting realistic expectations, because believing something is secure can be far more dangerous than it actually being insecure.

I’ve been accepted into the OAuth private beta and I’m excited to see what Twitter have implemented.

Finally I just want to state that I have great respect for Marshall Kirkpatrick and the work he does over at RWW. I wish I could blog as often as he does and stay interesting. Maybe in 2009 I should try it. Hmmm…

In my opinion this is a major curse on the internet today and it’s usually large corporations who “don’t understand” that do it, but in this case it’s a supposedly modern internet-based company, gocompare.com.

The problem is requiring more information from the user than you actually need to perform an action. In this case it’s unsubscribing from a mailing list, but I’ve seen plenty of examples around the web that do this in other situations.

To unsubscribe my email address from a mailing list you need nothing more than my email address. FACT! Requiring me to remember the password I used to sign up 12 months ago to a service I never thought I’d need to log into again is just plain annoying. And as for requiring my date of birth, why?

“For security” I hear you cry. For what? Why would anyone want to maliciously unsubscribe me from getting reminded that my car insurance is due? It’s just not gonna happen.

As I’ve stated in a previous blog entry, if someone wants to unsubscribe from your mailing list there is absolutely no commercial benefit to making it difficult to accomplish. I don’t want your emails so forcing me to continue getting them is going to do nothing but annoy me which will likely put me off using your company for anything ever again.

This is really daft. It’s been widely covered recently that the BBC iPlayer service is taking off in a big way which is great news for the future of TV. Unfortunately some ISPs are throwing their toys out of the pram and complaining that the increased bandwidth usage is costing them a lot of money and that the BBC should help cover the cost.

This strikes me as an extension of the equally stupid claim that it’s ok to have fair usage limits on unlimited broadband packages. The ISPs provide connectivity to their users and it’s up to them to set their terms of use. If they feel they need to bring in more cash to cover the additional costs incurred by these additional services they should price their packages accordingly, but they should also do so as transparently as possible and not try to pass the cost on to content providers and certainly not to the tax payer.

The BBC is providing a great service, but they’re by no means the only organisation to be causing increased bandwidth usage. ITV, Channel 4 and Five all have video on demand services but the ISPs haven’t complained about them, almost certainly because they haven’t been anywhere near as popular as the iPlayer service but they’re still contributing to the increased load.

Then consider the other streaming video services such as YouTube and Vimeo. Why haven’t the ISPs gone after those services? Could it be that they think the BBC is an easier target because it’s publicly funded?

In my opinion ISPs should concentrate on providing the service they advertise themselves as offering… namely reliable internet connectivity. In addition they should be more accurate in the descriptions of their packages such that hidden limits like fair usage policies are pushed to the top of their marketing material. An 8Mb “unlimited” connection with a 3GB monthly fair use limit is not unlimited by any definition of the word and it’s particularly limiting in this world of streaming video and other high-bandwidth services.

The ISPs need to wake up and recognise that they’ve fallen behind the curve and they need to commit some serious investment to upgrade their infrastructure so it’s ready for the next step up in bandwidth demand. Yes it will take a lot of money and probably a fair amount of time, but personally I’d rather pay 50 quid a month for a fast, reliable, properly unlimited connection than a tenner for one that’s slower than the advertised speed and limited in ways that make it practically useless for today’s internet.

It seems to me that they just want to take your money and provide the minimum service they can without you complaining about it. It’s up to the consumers, yes I mean you, to raise the bar for them and demand decent service and transparent advertising. As with all services you buy, if your ISP isn’t performing well enough, change it.

Not having much luck with the blog these days.

Easily took over 3 weeks to change the nameservers on the domain record for stut.net. In the meantime the servers that were running the old nameservers were taken offline. The result… stut.net dropped off the net, both webwise and email.

I’m not happy and will be going through the evil manual process of moving stut.net to Gandi where most of my other domains live. This is something I’ve been avoiding for a while. Why it’s still an offline process is beyond me, but if that’s what I need to do to get away from an incompetent company then so be it.

If you’ve tried to email me during the past 2 weeks chances are I didn’t get it, so if you haven’t had a response please send it again. Thanks.

Really not happy!

Weird one. For some reason today WordPress decided to develop some parse errors. Not sure what happened, but I’ve installed a fresh copy with no plugins or themes (hence the lovely default design).

It’s kinda pointless me doing the work to get it back to where it was since I have some pretty big changes to my site in the pipeline, so for now this will do.

I’ve disabled the link dumper from del.icio.us. It’s a great feature but my other posts are getting lost. I’ll be putting together a new site for links but until I do you can see my bookmarks on my del.icio.us page.

In a message to the php-general mailing list, someone named Jan Reiter made a frightening statement…

But if it’s a rented server, apache overhead isn’t your concern, so go on and let your provider worry about it!

As someone who runs a shared hosting provider this comment made me cringe. I’m assuming that by “rented server” (s)he means shared hosting since in a dedicated server context it makes no sense.

Regardless of what you’re doing (read the full thread to find out what this particular user wanted) it is important to consider the environment in which your website will be running. If you are a resource hog most hosts have terms and conditions that allow them to terminate your account. But more importantly you need to consider the effect you are having on the users you share that server with.

If your site suddenly started slowing down because another user was hogging all the resource on the server you’d be complaining before I could say “it’s good to share”. If your site gets to the the point where it’s using too many resources for you to continue on a shared server, congratulations you should now graduate to a dedicated server, but don’t take concious steps to use more resources than you need to. It will likely have a detrimental effect on your site nevermind the rest of the server.

And so I appeal to all shared hosting customers everywhere, remember that you’re sharing your physical home in the ether. Be considerate, don’t play loud music too late and don’t start monopolising the space.

Rant over.