Sunday, December 20, 2009

Announcing: Choice of the Dragon

I've been working on this game for the past few months:

Choice of the Dragon

Play as a fire-breathing dragon who sleeps on gold and kidnaps princesses for fun.
In the course of developing the game, I designed a programming language called "ChoiceScript" specifically for multiple choice games; I also wrote a bunch of text for the game, along with my friend Adam (with help from Kevin). Please share this with friends!

Saturday, August 22, 2009

StumbleUpon Doesn't Honor Permanent Redirects

The folks at StumbleUpon just gave me the worst website advice that I have ever heard.

When you change your domain name, StumbleUpon refuses to follow the permanent redirect to your new site. They recommend leaving the old website up with a "please click here" message instead!

Wait, really?

StumbleUpon provides a browser toolbar with a "Stumble!" button. When you click the button, it sends you to a random web page, and lets you rate it. If lots of people like your page, StumbleUpon will send more people there.

I've been running an online game from my personal website for about eight years. It eventually got pretty popular, averaging ~2 million pageviews a month. The load became too much for my home DSL connection, so about a month ago, I decided to move the game to Google AppEngine, on a separate domain. I diligently set up a permanent (301) redirect from the old website to the new website, and notified Google of my address change using Google Webmaster Tools.

For a while, everything was fine, but then, all of a sudden, I noticed my traffic had dropped by 50%. Puzzled, I checked my logs.

It turns out that about 50% of my traffic came from StumbleUpon; they were sending me hundreds of new visitors a day, some of whom would play the game for hours at a time. The game is a lot of fun, so it got hundreds of positive reviews. Eventually, StumbleUpon grew to represent a huge fraction of my inbound traffic. Now, all of it is gone.

StumbleUpon now says, "We are showing this site as unavailable. Should we check again?"

UPDATE (Jan 5 2010): StumbleUpon has removed this warning message from their site, but they're still not sending traffic to the redirected URL.

I emailed StumbleUpon about this, and they gave me this advice:

Hello Dan,

Thanks for your feedback,

Unfortunately, once you've redirected a site, you
are losing all reviews and traffic from the
original URL. There is nothing we can do about
this, as each unique URL in our community has it's
own unique review page.

If we allowed transfer of reviews and traffic
counts, we would facilitate gaming of our system.
You may however do a different type of redirect:
keep the homepage of the old URL alive and insert
a link that users must click to reach the new URL.
That way, the review page for the old URL will
still be accessible and the site will still regain
it's viral momentum and get stumbled around. While
doing this, you can slowly build reviews and
traffic for the new URL.

I hope this helped.

Regards,
Monica
xxxx@stumbleupon.com

This is horrible advice; nobody should ever do this.

If you follow Monica's advice, search engines like Google and Bing will continue to send searchers to the old website instead of the new website. Both Google and Bing rank websites by how many people link to them. Since the old website has more links, it will rank higher in the search results than the new website. Eventually, hopefully, you'll have two websites in Google and Bing, each performing only half as well as they should.

This is bad for my users and bad for searchers. Nobody wants to see duplicate content in their search results.

Gaming the system?

Monica says that if StumbleUpon honored redirects, it could be used to "game" their system. After all, what if I one day replaced my website with a redirect to a spam website? Then StumbleUpon might send users to some spam site.

But that's silly. Anyone who could redirect my website to spam could just as easily put spam right on my website! Redirecting doesn't help me game their system at all.

On the contrary, instead they're asking me to turn my old site into a pointless "doorway" page, forcing their users to click on an extra link just to get to the fun stuff. How is that good for their users?

If you don't believe me, then maybe you'll believe Google. StumbleUpon may claim to be worried about spam, but Google eats far more spam than StumbleUpon. People try to spam Google all the time, often by setting up useful sites and then replacing them with spam sites. If redirects made it easier to "game the system", then Google would stop honoring them.

Instead, Google gives clear and explicit directions explaining how to change your domain name. They recommend setting up a permanent 301 redirect, and notifying Google of the change of ownership using Google Webmaster Tools.

StumbleUpon should learn a lesson from Google and honor permanent redirects. It's the right thing to do for my users, Google's users, and their users.

Sunday, April 26, 2009

Tipjoy is Insecure; Don't Use It

Tipjoy is a cool new site that lets you exchange micropayments over the Internet. Unfortunately, on their "createAccount" page, they prompt you to give them your password without encryption!

http://tipjoy.com/createAccount/

That URL should be HTTPS-only, not HTTP. If you enter your password on that page, any "man in the middle" can read it and use it to impersonate you on Tipjoy.

By capturing your password, the attacker can spend money that belongs to you, transfer money stored in your Tipjoy account into the attacker's account, etc.

Bizarrely, tipjoy.com does support HTTPS... they just choose not to use it on most of their webpages, including the /createAccount page and the /settings/account/ page where you go to change your password. (The /login page is HTTPS by default.)

You can even opt-in to transmit your password securely, by modifying the URL to use SSL: https://tipjoy.com/createAccount/. That may be an acceptable workaround until tipjoy fixes their site.

But, even knowing that workaround, you STILL shouldn't use Tipjoy to put a button on your site until they fix this issue. If you put a Tipjoy button on your site, your users (the people who like you and generously want to give you a small tip) will probably NOT notice the problem; they will just create an account using the default /createAccount link, exposing their passwords to a man-in-the-middle attack.

Hopefully Tipjoy will get the message and fix this soon. Frankly, as a payment exchange system, their ENTIRE SITE should be behind HTTPS, not just key login pages. This is how paypal.com works; it's also how most bank websites work. When money is on the line, you really can't accept anything less.