Experimenting with the New Top Level Domains

by Michael Cropper | Jun 14, 2015 | SEO | 0 comments

A while ago we talked about what the new top level domains mean for businesses. Since writing that blog post over 12 months ago, a lot has happened. Since the initial announcement of new top level domains coming to the market, we thought it would be worth looking at what has actually changed and what you can actually do with the new domains.

New Generic Top Level Domains

Back in February 2014, there was a total of 362 top level domains that had been registered. Today, there are 988, a figure that is almost triple. Again, have a good browse through the top level domains that have been registered over the past year to get a feel for how things are changing.

An interesting point to note that while we have seen an almost tripling of top level domains that have been registered, we’ve yet to see any significant rollout of these domain names from businesses and brands online. The .google top level domain has been registered, yet we are all still using google.com or google.co.uk when searching. Likewise, .barclays has been registered but we are also still using barclays.com or barclays.co.uk. So why is this?

Well, honestly, things haven’t really changed that much over the past year when it comes to how customers perceive top level domains. If anything, people have become more wary of websites that don’t appear genuine, with cyber fraud and phishing attacks becoming part of everyday life. You only need to look back and read some of the topics we’ve covered on cyber security recently to see the scale of the problem; Cyber Security Conference 2015; Online Fraud and Cybercrime is a Serious Threat in 2015; Creative Entrepreneur 2014; A Short Story About… A Poorly Designed Website Allowing Anyone to Register as an Administrator Without Validation or Authorisation.

What this has ultimately led to is a situation whereby it appears that brands aren’t willing to experiment with the new top level domains just yet. So we thought we would experiment a little to see what kind of things we could do. It would be extremely unlikely for us to switch over to our new top level domain for the main website, since people are still very unsure about the new top level domains and still associate websites with the traditional .com and .co.uk. Hence why this is a nice little experiment to see how people can interact with websites and brands in a more user friendly and effective way with a little thought and planning.

Introducing contrado.digital

That’s right, we’ve just purchased a trendy domain that fits well with our brand, http://contrado.digital. Yes this is the full domain. The .digital top level domain became available quite recently, so we thought it would be worth securing this to protect the brand. Going beyond this, we’ve set up some additional functionality that allows you to interact with us a little easier.

http://search.contrado.digital

To search the Contrado Digital website, you could use search functionality that is built into WordPress, www.contradodigital.com/?s=searchQuery, although you may not know that exists. We’ve kept the search functionality hidden on purpose for the time being to avoid cluttering the main navigation as we found that it wasn’t being used a great deal by the majority of website visitors. But what if you still want to search the website without having to remember what the specific search URL is?

That’s why we created search.contrado.digital. Simple type this into your web browser, followed by your search query and you will automatically be shown a search results specifically for your query. For example, here are a few you can try;

• search.contrado.digital/cyber security
• search.contrado.digital/utm tracking parameters
• search.contrado.digital/digital lifeline

So there’s a nice easy way to find exactly what you need on the Contrado Digital website.

http://email.contrado.digital

To email us at Contrado Digital, again, simply type the following into your web browser, email.contrado.digital and you will be presented with a simple way to drop us an email without any effort at all. Go on, give it a go;

• email.contrado.digital

Yes, you could just go to the homepage, scroll down to the bottom and click on the link there. But why waste your time looking for an email address when you could just setup a nice piece of functionality that automates this whole process for you.

Social Media Channels

How about if you want to go straight to our social media channels to find out the latest trends happening in the digital world? Sure, you could again go to the website, hunt for the social media icons or go to the social media website and search for us there. But why waste your time doing that when you could just go straight to the relevant channel with ease;

• facebook.contrado.digital
• linkedin.contrado.digital
• twitter.contrado.digital

Nice little bit of functionality!

Summary

While the new top level domains are certainly still in their infancy, is there any way that you could be using these to help your audience connect with your brand easier? I’m sure there are many different and unique pieces of functionality that can enhance the user experience of your website by using this technology. What ways can you think of that would help by using a similar setup?

A Short Story About… A Poorly Designed Website Allowing Anyone to Register as an Administrator Without Validation or Authorisation

by Michael Cropper | Jun 10, 2015 | SEO | 0 comments

A Short Story About… series, sharing stories about epic fails related to digital marketing, web design, technology choices and more. All designed to make you aware of what can happen when you work with the wrong people and an inexperienced digital agency. Remember the importance of working with the right digital agency.

Sharing these real life stories with you allows you to review your own setup to make sure you aren’t making the same rookie mistakes. Sharing is caring and it also makes our life easier when you speak with us about increasing your revenue through digital marketing and technology.

Look at our new shiny website!

The story starts here…. We received an email from a business owner who mentioned that they had passed on our details to another business owner related to some work that they needed support with. Nothing too strange here, we get this all the time.

Naturally, when we receive requests such as this, we have a quick nosey around to get a feel for the website, digital marketing channels, technologies in use and more. Based on this quick analysis we soon get a feel for where the business is at when it comes to how digitally advanced they are, or aren’t, as the case may be.

Having already heard of the business that had been referred to us, we already knew that the website was in development with another agency (sorry, we’re not going to name and shame here, but we shall say that they are local to us…). Based on this, we had a quick look around the new website;

Website X

Initial Investigations

One of the key areas we investigate is to see what technology the website has been built with and ultimately decide if we even want to get involved with helping the business. Depending on the technology used and other factors, we often turn down work that is just too far gone to help and there is no budget for a complete rebuild. Often bad decisions in the past can lead to costly solutions in the future, often which businesses don’t have budgets for re-doing something. Thankfully though, there is generally something we can help with in one way shape or form.

We always recommend the right solutions for businesses, it’s unfortunate that this ethos isn’t the same for all agencies, with many often using poorly configured technology, custom built technology and everything in between. Hence, why businesses come to us when things have gone wrong elsewhere and they are looking for a good solution that is truly suitable for their long term needs. As a caveat, there are a lot of good agencies around alongside ourselves and we can quite happily point you to them. It is also true, as many businesses are painfully aware, that there are a lot of charlatans around too.

So, while investigating what technology was powering the website, we soon noticed a login button on the website;

So we had a quick look at the login page to see if this resembled any of the common content management systems around;

And what do we see here, a nice “Register” button, so we investigated a little further;

Ooohh, that looks like a nice easy registration form, so we tested a little further…;

• Username: test
• Password: test123
• Confirm password: test123

Surely any content management system or website worth it’s weight in salt would handle guest registrations in a graceful and secure way? Well, no, and this is where we were really shocked to see how bad this system has actually been built in terms of security. After registering a user using the form available on the website for anyone to see, we went back to the login page from earlier and tested these details;

And here we are, straight into the administration area where we can edit the content of the website as we choose. Adding content, deleting content, uploading images in the gallery, addling links to websites of our choosing and more. To test that we do indeed have the right privileges, we added (and then immediately removed) a piece of content to the website which was visible once we updated this;

(Click for larger view)

The above isn’t the actual content that was added to the website for obvious reasons. It was simply a number “1” which was added to one of the sentences then removed immediately. The above image is purely for illustrative purposes and to emphasise the point.

It is extremely worrying that a website can be built with no security in place at all. This process took no more than 5 minutes to investigate, test and access the admin area. Imagine what we could do in 10 minutes…

Now if someone came along who had an axe to grind or was looking to infect websites with malware and other code, this would be extremely easy thing to do. Not only could this result in the website being blacklisted from Google, your own website visitors and customers could be infected with viruses or your website could be (unknowing to you) part of a bot net that is hacking many websites around the world.

This blog post is not designed to show how good we are when it comes to identifying security issues related to websites (although we aren’t too bad at that…), this blog post is designed to highlight how easy security issues can occur when you are using either the wrong technology, incorrectly configured technology, sloppy web developers or an agency who clearly has no idea what they are doing.

For any website or web application, security should be embedded from the start of the project and clear testing throughout to ensure that only those who have access to the administration area do have access to it. Security is not an added extra, this is your own business and website that we are talking about. An area that you have clearly worked hard on and one that will no doubt have been a reasonable investment. Don’t get caught out with rookie mistakes.

Imaging if the administration area contained a list of all of your customers who had registered with your website? Or if this contained personal sensitive information in unencrypted form, names, email addresses, phone numbers or heavens forbid credit card details? Such a simple mistake can turn into an enormous problem. All preventable when you are working with the right people who have the skills, knowledge and experience to do the job properly.

Technology

For reference, the technology behind the website in this case study was running the following;

• IIS 8 Web Server
• Net / ASP.Net MVC Framework (this is where the problem and solution lie, allowing anyone to view the user registration page and allowing the default user to be created as an Administrator)
• Google Hosted Libraries
• jQuery
• Fancybox

Incorrectly configuring technology is one of the most common pitfalls related to website security. It is so important that you are working with a well-respected company who have staff with a wealth of experience and capable of preventing issues like this occurring.

The Solution

Throughout this blog post, the company has remained masked and is not identifiable in any way for obvious reasons. The company has also been notified and their agency is working on a solution as a priority. We believe in responsible disclosure, which is why we have published these findings, to avoid others falling into the same trap.

For reference for the developers working on this solution, if any pointers are needed, a quick Google search for the solution came up which may be quite useful;

• http://stackoverflow.com/questions/12706236/restricting-access-to-register-user-in-asp-net-mvc
• http://forums.asp.net/t/1886372.aspx?How+to+remove+self+registration+from+mvc+4+Internet+application
• http://www.asp.net/web-pages/overview/security/16-adding-security-and-membership
• http://www.asp.net/mvc/overview/older-versions-1/nerddinner/secure-applications-using-authentication-and-authorization
• http://www.asp.net/mvc

Please also have some form of robust security processes in place within your business to prevent this happening again in the future. Please also check all of your other clients who you have built websites for in this same fashion, as this could also need fixing on their website too. Again, it is extremely simply to gather a list of websites built by the same agency where this problem could also exist;

For anyone looking to do harm, this could turn into a reputational nightmare for the agency involved along with causing all of the businesses involved an awful lot of lost revenue if this was exploited fully by a hacker before a solution was implemented. Staff training, for both technical and non-technical users is key in this area to ensure that problems are identified before other people find them and exploit them.

Summary

As mentioned at the start, it is essential that you are working with the right digital agency who is capable of delivering projects in a secure fashion. Simply working with the cheapest company, the company who can talk the best talk or the company who manages to convince you that their solution is the best one over all of the others just isn’t going to cut it. As a business owner or decision maker, it is ultimately your responsibility that you are working with well-respected agencies who know what they are doing.

If you are concerned by the contents of this blog post, if you are questioning your current supplier or are generally concerned about the security of your digital assets, then get in touch. Cyber security is a hot topic for a reason, it is hugely important to protect the future of your online presence and more.

The learning point: Ensure your website registration process doesn’t allow new users to access parts of the website they shouldn’t. In this example, using a well-respected content management system would have prevented this issue altogether. Many website builds do not require any fancy custom built content management system solution, popular platforms such as WordPress or Magento are often perfect for the job.