September 5, 2013 at 00:20Implementation of the site of the registry of banned sites: again twenty-five!
The other day I decided to see how it works "something that is talked about so much." We will leave behind the scenes discussions on the relevance and necessity of freshly baked legislation, we will focus on the implementation of one of the important links of the proposed system - the website of the unified register of prohibited resources and its work in terms of filing an application for making a resource in this registry.
As a victim, the site of a very dubious Chinese online store was chosen, which nevertheless works with Russian-speaking users and is located on a domain in the “.ru” zone. We omit the detailed description of the situation, I just hope the venerable audience will take it on faith that the victim has sinned more than enough to at least act as an experimental rabbit in this experiment. However, it is worth mentioning that formally, none of the categories of prohibited content is present on the site, at least I have not found any propaganda of suicide or drugs, or child pornography.
Let's start the experiment, describe our actions, summarize the results and draw conclusions.
1. Check the possibility of adding an ordinary citizen an arbitrary resource to the unified state register of prohibited sources using only widespread means of access to the network.
2. Get an answer to your initiative.
3. Report problems if they occur.
4. Evaluate the system.
Like an ordinary mortal, only hearing a ringing, but not knowing where he is, I turned to the Yandex search engine, which, even without completely listening to the request I entered, guessed it with an exact clue. Having got to the registry website, I had no problem finding a section in the plain menu for applying for adding a resource to the registry, although the dry bureaucratic name of the menu item “Receiving Messages” is not too intuitively perceived as exactly what I needed, but among the four This item turned out to be the only one with semantic content implying feedback - it did not work out to get confused.
Now a page appeared in front of me with dry text in “blah blah blah” (2600+ characters) and the desired form below it. In general, such systems do not sparkle with usability delights, because the title of the form under the text, designed as normal page text and only highlighted in bold, and even with the text "Submit a message about a resource containing prohibited information" , I certainly was not too surprised.
The required field of the form “Index of a site page on the Internet (with the required protocol)” really requires filling out the protocol, as well as the absence of preliminary spaces, which I accidentally pasted into the field before the value when copying through the clipboard of the operating system from an external source .
Further research also showed that almost all checks of the values of the filled form fields for compliance with the required formats are either very superficial or absent as a class. No AJAX, submitting a form completely reloads the page. And, of course, in the best traditions of the bureaucracy - filling errors detected by the server software are presented strictly one at each attempt to send a request. And of course, the Turing test, even if it was successfully completed in the next unsuccessful iteration of the request, has to be passed again and again. Of the positive aspects, it should be noted only that the values of the filled fields are saved when the form is submitted in an unsuccessful attempt.
Special attention was given to the “Additional Information” field .requiring a maximum length of text value of 500 characters. Firstly, the requirement is presented in the form of an error, in accordance with the tradition voiced above, only strictly after trying to submit the form. Secondly, an attempt to enter 340 characters (92% consisting of Cyrillic characters) in this field also failed. Apparently, checking the length of the string value is performed for single-byte encodings, despite the fact that the site works with UTF-8 encoding. As a mere mortal, I do not suspect this and shorten the text until the moment when the form is finally not accepted by the server.
In the end, I overcome all the difficulties and the result of filling out the form is swallowed by the server, about which I get a rather plain-looking dry message and again in front of me the same form, but this time cleared of the result of filling out. Stop! Where is the confirmation page? Well, to see what I entered, make sure that everything is correct and confirm, or vice versa, find an error and return to editing the entered data? Well, I don’t seem to do such a trifling action - I’m applying for a resource blocking for millions of people, but what if I ticked it off? Well: at least they accepted it.
We are waiting for a reaction, especially since I entered my email address in the data and set the checkbox “send reply by email. mail " . I remind you: my application is knowingly false, although I did not express it directly.
A day goes by. By email comes the answer:
Here the subject of the letter is curious, which looks like this:
And all because the encoding of the letter was again performed without taking into account the details of folding the header fields described in the RFC, and the features of this process for multibyte encodings:
Not everything went as smoothly as we would like, but nevertheless the main task was completed: submitting a request and receiving a response were successful. Moreover - my application was recognized as false and rejected.
The most interesting of course is here. The captain’s conclusion that the system works, of course we have already done. The question is, is it really possible to perceive such an information product high enough that users (potentially, of course) could use it on the scale of the population of an entire country? Really it was impossible to do without such trash (not the most terrible, I admit) in the implementation of the web-muzzle of this project?
PS: I ’ll answer the question “why didn’t I tell the developers about bugs”: yes, because apparently there are no obvious means for this on the site.
As a victim, the site of a very dubious Chinese online store was chosen, which nevertheless works with Russian-speaking users and is located on a domain in the “.ru” zone. We omit the detailed description of the situation, I just hope the venerable audience will take it on faith that the victim has sinned more than enough to at least act as an experimental rabbit in this experiment. However, it is worth mentioning that formally, none of the categories of prohibited content is present on the site, at least I have not found any propaganda of suicide or drugs, or child pornography.
Let's start the experiment, describe our actions, summarize the results and draw conclusions.
Experiment Objectives
1. Check the possibility of adding an ordinary citizen an arbitrary resource to the unified state register of prohibited sources using only widespread means of access to the network.
2. Get an answer to your initiative.
3. Report problems if they occur.
4. Evaluate the system.
Experiment description
Like an ordinary mortal, only hearing a ringing, but not knowing where he is, I turned to the Yandex search engine, which, even without completely listening to the request I entered, guessed it with an exact clue. Having got to the registry website, I had no problem finding a section in the plain menu for applying for adding a resource to the registry, although the dry bureaucratic name of the menu item “Receiving Messages” is not too intuitively perceived as exactly what I needed, but among the four This item turned out to be the only one with semantic content implying feedback - it did not work out to get confused.
Now a page appeared in front of me with dry text in “blah blah blah” (2600+ characters) and the desired form below it. In general, such systems do not sparkle with usability delights, because the title of the form under the text, designed as normal page text and only highlighted in bold, and even with the text "Submit a message about a resource containing prohibited information" , I certainly was not too surprised.
The required field of the form “Index of a site page on the Internet (with the required protocol)” really requires filling out the protocol, as well as the absence of preliminary spaces, which I accidentally pasted into the field before the value when copying through the clipboard of the operating system from an external source .
Further research also showed that almost all checks of the values of the filled form fields for compliance with the required formats are either very superficial or absent as a class. No AJAX, submitting a form completely reloads the page. And, of course, in the best traditions of the bureaucracy - filling errors detected by the server software are presented strictly one at each attempt to send a request. And of course, the Turing test, even if it was successfully completed in the next unsuccessful iteration of the request, has to be passed again and again. Of the positive aspects, it should be noted only that the values of the filled fields are saved when the form is submitted in an unsuccessful attempt.
Special attention was given to the “Additional Information” field .requiring a maximum length of text value of 500 characters. Firstly, the requirement is presented in the form of an error, in accordance with the tradition voiced above, only strictly after trying to submit the form. Secondly, an attempt to enter 340 characters (92% consisting of Cyrillic characters) in this field also failed. Apparently, checking the length of the string value is performed for single-byte encodings, despite the fact that the site works with UTF-8 encoding. As a mere mortal, I do not suspect this and shorten the text until the moment when the form is finally not accepted by the server.
In the end, I overcome all the difficulties and the result of filling out the form is swallowed by the server, about which I get a rather plain-looking dry message and again in front of me the same form, but this time cleared of the result of filling out. Stop! Where is the confirmation page? Well, to see what I entered, make sure that everything is correct and confirm, or vice versa, find an error and return to editing the entered data? Well, I don’t seem to do such a trifling action - I’m applying for a resource blocking for millions of people, but what if I ticked it off? Well: at least they accepted it.
Experiment Results
We are waiting for a reaction, especially since I entered my email address in the data and set the checkbox “send reply by email. mail " . I remind you: my application is knowingly false, although I did not express it directly.
A day goes by. By email comes the answer:
Hello!
Thank you for your active citizenship, but we inform you that the address http: // ... .ru / indicated in your appeal does not contain the information provided for in paragraph 5 of Article 15.1 of the Federal Law of July 27, 2006 N 149-ФЗ “On Information, Information technologies and information security. ”
Sincerely,
THE FEDERAL SERVICE FOR SURVEILLANCE IN THE FIELD OF COMMUNICATION, INFORMATION TECHNOLOGIES AND MASS COMMUNICATIONS.
Here the subject of the letter is curious, which looks like this:
ROSKOMNADZOR informs ??
And all because the encoding of the letter was again performed without taking into account the details of folding the header fields described in the RFC, and the features of this process for multibyte encodings:
Subject: =? Utf-8? B? 0KDQntCh0JrQntCc0J3QkNCU0JfQntCgINC40L3RhNC + 0YDQ? = =? utf-8? B? vNC40YDRg9C10YI =? =
Not everything went as smoothly as we would like, but nevertheless the main task was completed: submitting a request and receiving a response were successful. Moreover - my application was recognized as false and rejected.
conclusions
The most interesting of course is here. The captain’s conclusion that the system works, of course we have already done. The question is, is it really possible to perceive such an information product high enough that users (potentially, of course) could use it on the scale of the population of an entire country? Really it was impossible to do without such trash (not the most terrible, I admit) in the implementation of the web-muzzle of this project?
PS: I ’ll answer the question “why didn’t I tell the developers about bugs”: yes, because apparently there are no obvious means for this on the site.
PPS: The obvious question, which maybe I didn’t look carefully enough for the answer:
How much did such a technical solution cost the budget, read to us, taxpayers?