PDA

View Full Version : General site feedback



Tempest
07-05-2017, 02:19 PM
There are a few things about this site I've noticed that I felt like writing down for users to see.

1. The site has no SSL certificate. The last "reason" I could find was that it costs money and the risk of a MitM attack is too low to justify it. It's 2017. You can get SSL certificates for free*. There is no excuse except for pure laziness.

2. Passwords are transmitted in plaintext. The combination of this and no SSL is just fucking stupid. Now, since the email password recovery doesn't actually work (I submitted a request 3 hours ago, no email), I can't confirm this, but from what I read on another feedback thread, this function literally just emails you your password. In plaintext. For those of you who don't know, this also means that the admins can view your password in plaintext. If you use the same email and password on any other site... well, you can figure out the rest. This is not acceptable in any way.

3. The general UX is a goddamn mess. As I type this, I'm looking at the WYSIWYG editor in all its glory, with almost every icon missing. The HelpDesk article on submitting a ticket is VERY badly worded. This could be solved by actually putting some effort into tying the different systems on the site together (helpdesk, forums, etc), instead of just throwing them onto the site and hoping they work. Additionally, why is the only upgrade option under the "upgrade" tab in Bot CP the 200 option? Why do I have to search through the other tabs to find the less extortionate options? This is either deliberately misleading, or just stupid UX design again.

I'll add anything else I find to this post, but from what I've seen so far, the whole website is just a mess.



*in case you've been living under a rock, https://letsencrypt.org/

Sean2525
07-05-2017, 03:32 PM
Wow, I'm not sure exactly what made you go off this morning but I think you need a hug.

Also let's get somethings straight. We are currently in 2017 so if you are using your password more than one site that's your own fault. Since you know so much about security I don't see why it stressed you out when something doesn't go your way. You act like a child to me when you rant like one.

Tempest
07-05-2017, 03:56 PM
Wow, I'm not sure exactly what made you go off this morning but I think you need a hug.

Also let's get somethings straight. We are currently in 2017 so if you are using your password more than one site that's your own fault. Since you know so much about security I don't see why it stressed you out when something doesn't go your way. You act like a child to me when you rant like one.


Yes, it's partially on the user to use different passwords for each site, or to use a password manager to generate passwords etc, but there is never a situation where it is acceptable to store passwords in plaintext. That is just poor web dev practise. That attitude is what pisses me off - the fact that the staff seemingly don't care.

Sean2525
07-05-2017, 04:07 PM
The staff doesn't care is a very bold statement. Only RiD has access to the site so that's irrelevant to me honestly. RiD is putting all his focus into Genesis and he did say once it's released and not in beta the site will get some updates. So unless you know exactly what your talking about don't make statements for someone else.

Tempest
07-05-2017, 04:14 PM
"seemingly" was a fairly important word in what I said. Every response I've seen to any of the issues I mentioned has given the impression that the staff don't give a shit about the website. The only actual response on the SSL issue was that until the site is "operational" with an active product, it's not worth renewing the cert. Which is bullshit. This is a live website with active users - do you not want to give the users the best security you can? Or, going back to my original point, do the staff just not care? Adding a new SSL cert with LE is trivial. I'm sure if RiD is unwilling to give somebody else who knows what they're doing access to do so, he could take 10 minutes out of his busy schedule to do it himself.

iStokee
07-05-2017, 04:21 PM
It is a bummer that you have not had a good experience thus far.

I am going to deliberately ignore your first two points because as Sean said before, RiD handles all of that himself so there is little anyone else can do about it. As far as the user experience, I suppose I can see how, at first glance, the site seems a little rough around the edges - because in some aspects, it is. Take the editor for example; it has been this way for as long as I have been on this site, and I am guessing for a lot longer. Again, at first glance it seems broken, however it definitely works (despite the icons missing) and really the missing icons is sort of a running joke around here. Once you learn where things are in the editor you actually forget that they aren't labeled. or at least I have :idk

In terms of the HelpDesk, what exactly were you looking at that was unclear? I myself just took a look through and didn't see anything that was unreasonable, but perhaps my familiarity with it has given me a different perspective. If you can point me to what you were looking at, I can do my best to provide some clarity.

Lastly, as Sean also said, right now all of RiD's attention is focused on Genesis development. Those of us who have been participating in the testing phases know how much has been put into it thus far, and have all pretty much accepted that anything non-development related has been put on the back-burner. You may or may not agree with this decision, but this is what the Site Administrator has decided, and that's how it is going to go for now. I appreciate the feedback you have given, and if you see anything else that could use some improvement certainly let us know! If it is related to core site functionality there is likely little we can do; however, if it is something such as "these instructions <here> need to be updated" or the like, then we can probably get something worked out.

Tempest
07-05-2017, 04:39 PM
First, thanks for the first response that actually contains something relevant to the points I brought up, rather than just avoiding it with ad hominem attacks.

Familiarity with a site preventing you from seeing glaring UX issues is a very common issue. While you know where all the buttons on the editor are, people like myself who have only just joined the site have no idea. It doesn't really make for a great user experience to have to hover over each blank square to see what it actually does.

My HelpDesk point was referring to this: http://i.imgur.com/yuZgIvT.png

In the helpdesk article explaining how to create a new ticket (which, by the way, should not be necessary), it correctly outlines how to find that exceptionally badly placed button. My main issue was the placement of those buttons. It's not even clear at a glance that they are, in fact, buttons. The huge, non-dismissable alert telling me that "Genesis Beta is now available to non-ViPs" doesn't help in this regard. Having an article which clumsily explains to the user where those buttons are isn't a great solution.

I do get that RiD is busy working on the bot, but I also have enough experience in the development industry to know that there's a fairly significant chance that either these things will never be fixed, or they will be rushed and fixed badly. This is almost always the case when the entirety of development is done by a single person. I apologise if I was overly aggressive in my first post, but again, seeing that my job for the past 7 years has revolved around creating and managing websites, and evaluating UX, seeing a website as poor from a UX perspective as this one frustrates me to no end. Mainly because none of the issues I've outlined are difficult to fix.

Also, for anyone who doesn't understand why SSL is a big deal - let's say you log into this site on any sort of public network, be that an internet cafe, library, whatever. If somebody happens to be watching traffic on that network, they can see exactly what you're typing into any form on this site. That includes your username and password. The plaintext passwords don't really come into play here since as far as I know, the software used on this site (vBulletin, etc) don't actually hash passwords until they hit the server side. I may be wrong there, I've never actually used vBulletin, only read the docs. It's still exceptionally dumb to store passwords anywhere in plaintext though.

Gritz
07-05-2017, 05:54 PM
looks like someone watched to much mr robot

xcendrox
07-05-2017, 06:04 PM
I've wasted some of my time to read this post, and from what I have gathered, is you Sir need to relax and chill, perhaps smoke some of the devils lettuce and mellow out. I'd prefer RiD to use what ever time he has to Genesis development then working on the things you are pointing out. I'm sure many think the same way.

The site works perfectly fine now, Once Genesis moves out of BETA and is released for consumers then yes I agree the site needs some work but nothing that really needs to be done now.

iStokee
07-05-2017, 06:19 PM
Alright gents, no need to flame the OP for simply expressing the concerns he has about the site, especially given that he has done so rather articulately. RiD has seen this post and has undoubtedly noted the concerns expressed here, so he will do with that information whatever he deems necessary.

Tempest
07-05-2017, 06:21 PM
looks like someone watched to much mr robot

Or actually gives a fuck about security in the industry I work in. I don't see how explaining what attacks are possible due to a lack of SSL protection means that I watch too much Mr Robot. It's a real-world attack, which some users may not be aware of. I'm sorry for trying to make people aware of a risk they may not have known about. Fuck me, right?

xcendrox: I agree that RiD needs to spend his time working on Genesis, but there is nothing stopping him from letting somebody else who knows what they're doing handle the website side of things. However, are the people using Genesis right now not "consumers"? Why is it acceptable to have, to be quite honest, awful standards for a site just because the product it's advertising is in beta?

Asdfs
07-05-2017, 06:34 PM
I don't understand the hostility here, Tempest has merely pointed out some flaws with the website which potentially can have massive implications for some users. They are quick fixes, and I have done this before so know it personally.

A reaction like the one that has occurred here, from certain users, will never help to improve the experience that comes with RiD (whether that be through the community, the bots security, features, websites security etc).

Tempest
07-05-2017, 06:37 PM
I don't understand the hostility here, Tempest has merely pointed out some flaws with the website which potentially can have massive implications for some users. They are quick fixes, and I have done this before so know it personally.

A reaction like the one that has occurred here, from certain users, will never help to improve the experience that comes with RiD (whether that be through the community, the bots security, features, websites security etc).

Pretty much this. I feel like my initial aggression on the subject may have stopped people from actually reading what I was saying. And as you said, none of these issues is difficult to fix, and some of them open up some pretty nasty vulnerabilities.

Sean2525
07-05-2017, 07:05 PM
If you wanted to truly get somewhere with your ideas starting your thread off with a rant didn't help it. I don't care how you feel about the negative feedback you received but I'm letting you know it was mostly from the initial post. Honestly I agree with the SSL and other security but ranting doesn't help to fix anything. If you have more concerns shoot me or another mod a PM if you'll like or a support ticket. Thanks for your concerns and your time explaining them.