The trap of multiple vendors in website design and development

Summary: If you have a big or important website to build, do not – under any circumstances – built it using multiple vendors.

Problem: Your company needs a website of some kind and you have not enough resources or expertise to build it yourself.

So you want to hire a company that does that sort of things. What general options are there and what are their strengths and weaknesses?

The three general types of companies that could help are:

  1. Advertising agency
  2. Web consulting company
  3. General technology consulting company

Here is a little table that tries to capture their pros and cons:

CompetenceAdvertising agencyWeb consultantTechnology consultant
General technologyLowMediumHigh
Web technologyMedium/lowHighMedium/low
Web domainMedium/lowHighLow
Web strategyMediumHighLow
General marketingHighMediumLow
Visual designHighMedium/highLow

This is of course a very simplistic and subjective table. There are always exceptions and individual differences. Many companies cannot be put into these categories.

The choice is pretty easy if you need a simple website and can make compromises.

It gets harder if you need, say, a visually stunning website with a scalable back-end.

What do companies usually do in these situations (and sadly, often when they do not actually need to)? They buy the specification work from one company, visual design from another, and the actual implementation from a third company. In the specification or the visual design phase there usually is not yet an understanding what the technology platform will be.

This leads to multiple problems:

  1. Communicating design decisions becomes extremely time-consuming and error-prone.
  2. The implementation will cost a lot because the limits of the platform cannot be taken into consideration beforehand.
  3. Developers and designers get unhappy because their chances of making a difference is lower.
  4. The probability of success is lower – the forced waterfall model does not easily allow correction of mistakes made in the beginning of the project.

So basically: you will have a website that has some weaknesses (from a single vendor) – or you will own a generally bad website that cannot be fixed easily (from multiple vendors).

So what do I suggest?

You find a single company that has the best record of delivering great websites in all areas that matter to you. Usually that is a company, that specializes to web development and design. Remember that a lot can be fixed afterward, but it is harder, if the basic design decisions were wrong. Money should be reserved for that too. The more players there were in the development for the website, the more the corrective measures will probably cost.

A website is never done. It should be constantly analyzed and developed further. Perfection is a forever moving target. Don’t try to nail everything at once.

From this post on: only in English

I have been blogging for about 6 years now. In that time, I have only blogged in English a couple of times.

It is time for that to change.

I have no other motivation behind the change than to practice my written English. I certainly don’t hope to get a much wider audience. Even thou I would have no objections, should that ever happen.

I would also ask you to comment in English from now on. I know, that will at first seem like a bit stupid, mostly Finns discussing in English. But, after a short period, that feeling went away in Twitter too.

I obviously will not be translating the older posts, but the tags I will (again). The UI is mostly translated into English by now. Anything else I should be considering?

SuperGenPass is not that secure

Update 2 (2014-08-02): The developer of SuperGenPass, Chris Zarate, sent me an email detailing the solutions for the vulnerability described below explaining how the master password is never exposed to the master web page no more. I have not taken the time to review the solution, but the idea seems legit and the attack described below does no longer work.

Update: SuperGenPass vulnerability demo for people who don’t believe me.

I know, I have recommended that you use SuperGenPass for several times. It took a long time, but I finally realized there is a serious security flaw in the root of the implementation.

The SuperGenPass UI is rendered within the DOM of the current page when you click the bookmarklet. The UI is where you enter your master password. And because the UI is part of the current page, any script running in the page can read your master password. Remember that script can be external too, as in advertisements or widgets of some kind.

It is safe to say that using SuperGenPass is not that different from using the same password for every site. It just has a little bit different issues.

If you use the same password everywhere: When a site gets compromised in a way that the attacker can read the user account information, your account in every site can be compromised – depending on how the site stores their passwords.

If you use SuperGenPass on a site that is compromised: Your master password can get stolen and thus, your account in every site is compromised.

The difference is in the way site gets compromised. Something as common as a cross-site scripting attack will get your master password in jeopardy.

Fortunately, there is a safe way to use SuperGenPass. Just visit a page you absolutely trust not to have any unauthorized script running. Generate your password within that page by manually entering the domain name that you are trying to log in to. Then copy & paste it into the login form. Cumbersome, but it works.

At this point, I would not recommend SGP to anyone but security experts.

“Free” as in “free beer,” not as in “free speech”

Chris Anderson’s latest book, “Free” is free on Amazon to download for the Kindle or the Kindle app on the iPhone or iPod touch.

Or is it? No, sorry, to access it you need the Kindle (not available outside United States) or the Kindle app. If you try to download the app from the iTunes Store without an appropriate account, it says:

iTunes dialog: Your account is only valid for purchases in the Finnish iTunes Store. Clicking OK will take you to this store.

But I am not purchasing anything! I am simply trying to download a free piece of software! To access a free piece of content. And I am not allowed to do that in a disrespectful way.

Way to go, Amazon, Apple and Chris Anderson!

Free is also an ideology. Don’t forget that.

Varo mainoksesta kertovia merkkijonoja osoitteissa

Vierityspalkin jutusta päädyin Snoobin sivuille. Hetken aikaa ihmettelin, mikä mahtoi olla ongelma, koska sivu näytti siltä ettei tyylitiedosto ollut latautunut:

Snoobin verkkosivut selaimessa ilman CSS-tyylejä

Sitten tajusin, että joko Adblock Plussan perusfiltteri tai käyttämäni suodatuslista oli blokannut CSS:n. Se teki sen siksi, että CSS:n osoitteeksi oli määritelty: http://www.snoobi.fi/css/css.php?frontend=yes&banner=tuotteet_ja_palvelut.jpg.

Tarinan opetus: Mainosten blokkaajatkin on huomioitava. Kuvia, tyylitiedostoja tai muitakaan resursseja ei kannata pyytää osoitteilla, jotka kirkuvat mainonnasta.