Sunday, February 03, 2002

 
Posted by Mike Tarrani 3:43 PM
How not to launch a commercial service. This weblog is hosted on a free service called blogger, which has just launched a professional offering that is reasonably priced, but ultimately not worth the price unless you are (pick one or more):

1. Currently using IE 5 or above
2. Unconcerned about security
3. In agreement that item 2 applies and you're willing to use IE 5 or above
4. Unaware of the ongoing problems documented in the site status log, which indicate bigger problems than requiring a vendor-specific browser

What are my real issues? First, the status log shows that this is one unstable system, even with the professional service. One of the features is Priority Server Access, yet the log shows problems in paradise.

Second, looking at the Tuesday, January 22, 2002 entry in the status log leads me to conclude that changes are made to the production system without any testing and release procedures. Hence, I doubt there exists a test system (unless you consider the production servers to be the test system, which is what I suspect). That accounts, in my opinion, for a good deal of instability that is reported in the status log. A professional option that gives Priority Server Access will not and cannot guarantee that what goes on in the background isn't going to deny access because of some silly change (feature, fix, whatever) that the cowboys and cowgirls running this system feel like making.

Given the manifold security problems associated with VBA, which I suspect is the reason IE 5 or above is required to use the professional option, who in their right mind is going to willingly use VBA on the Internet? Another red flag is the Professional Option FAQ which cannot be read without IE 5 or above!

What's my point? Here is a service designed to bring revenue into a company that disenfranchises Linux and UNIX users, anyone who is security conscious regardless of their browser choice, and forces customers into using a browser they may not otherwise want to use. I had IE completely removed from my machine, which was no small feat. I'm certainly not about to put what I consider a virus back on just to pay someone for the privilege of using many features I don't need in order to get a level of availability that doesn't seem to be possible given the support practices I've extrapolated from the status log. It does serve as an example of what we IT professionals sometimes inflict on our own users, and therefore, should go into the worst practices category. Think about this worst practice if you're designing a B2C system. If you want to read about best practices I recommend a visit to World Wide Web Consortium, especially their Seven Points, which leads off with Universal Access (i.e., browser-independence), and their online validation services that allow you to validate compliance of your pages using their online tools. I also recommend a book titled Web Project Management that shows not only how to manage web projects, but also how to make them customer-friendly.

Notes: Some sources upon which I base my security concerns include:

• Security Tracker Alerts
• Internet Explorer security (Georgi Guninski Security Research)
• VBA Implementation & Virus Risks whitepaper (PDF format)

Postscript added 18:30 PST: The following is an example of a browser-independent web application. This example is a heck of a lot more difficult than a GUI edit window and spell checker, and the designer managed to pull it off without requiring a specific browser brand or version. It shows what can be developed when the developer(s) know what they're doing.