Tag Archives: User Experience

The Return of Mystery Meat Navigation

Many of Malta’s government services can nowadays be accessed online. However, we still lag behind other countries in terms of their usefulness and ease of use. In this article, we’ll see a small example from the website of the Malta Public Registry that throws usability out of the window. As with other articles in The Sorry State of the Web series, and inspired by Vincent Flanders’ Web Pages That Suck, the aim is to learn good web design by looking at bad web design.

A screenshot of Certifikati.gov.mt, the website of the Malta Public Registry.

Certifikati.gov.mt is the website of the Malta Public Registry. I came across it a few days ago, and it has a simple and modern design, similar to many other contemporary websites. However, it makes one fundamental mistake that I haven’t seen in years, and you can see it in the navigation icons in the top-right corner of the website:

The icons in Certifikati’s navigation. Can you guess what they mean?

We have a row of icons, but what do they mean? We can perhaps try to guess, as some are more conventional than others (e.g. the shopping basket). But, to get a real idea of the range of information and services that a website offers, the only way is to hover over the icons one by one:

Hovering over an icon containing a sign post reveals that it means “Certificate Information”.

Aside from the questionable suitability of some of the icons, this kind of design is a tedious exercise in frustration, because instead of a website telling you clearly what it can do for you and where to find the information you want, you have to go and dig it up yourself, one icon at a time.

In fact, there is a name for this. It’s called Mystery Meat Navigation, a term coined by Vincent Flanders (of Web Pages That Suck) back in 1998. You can read about it in Flanders’ Introduction to Mystery Meat Navigation, Wikipedia’s Mystery Meat Navigation page, or my “On Mystery Meat Navigation and Unusability” article (originally published in 2013 at Programmer’s Ranch, and republished two years later here at Gigi Labs).

This is the first instance of Mystery Meat Navigation I’ve seen in many years. Although it used to be very common in the era of Geocities and Flash websites, the change in trend towards more minimal designs and ready-made templates over the course of 25 years thankfully seems to have caused it to fizzle out. As a result, I was very surprised to come across this clear example of regression.

It seems like most people have forgotten about the trap of Mystery Meat Navigation, and by writing about it again, I hope to raise awareness and help people avoid repeating the mistakes of the past.

The Sorry State of Air Malta’s Online Check-In

Dealing with Air Malta is always quite frustrating, no matter what you need to do. After the ordeal of booking a flight, detailed in The Sorry State of Air Malta’s Website, it was finally time to catch that dreaded flight. This time, to mitigate potential issues with overbookings, I decided to check-in online.

So, I did what any reasonable person would do: I googled Air Malta’s online check-in, hoping to go straight there:

The first search result brought me to this form:

A friend of mine told me that the process is easy, and the form looked simple enough (as you can see above). What could possibly go wrong?

“Check-in System Error”, it said, “A system error has occurred. Please try again later.” Typical: they don’t tell you what the problem is, and you can try again as many times as you like, because it’s not going to work. Knowing Air Malta’s hatred of apostrophes, I tried my surname with and without the apostrophe, to no avail. I even tried to “Show Additional Options”:

Not only does “Show Additional Options” clear whatever you entered in the first two fields (so you’d have to type them in again if you wanted to go back to using the booking reference), but the 13-digit Ticket Number is nowhere to be found in the flight booking confirmation email.

Later, I figured out what the problem was. If you go to the Air Malta website and proceed to do the online check-in from there, you get to a completely different form which does actually work (except that when you get to the summary, it displays the wrong number of luggages):

What this probably means is that during some rebranding exercise, they set up a new online check-in form, but left the old and dysfunctional one in place, and Google still ranks that as number one.

It’s rather silly to assume that people will reach your website through its homepage. As it turns out, though, Air Malta are not alone. Just today, I wanted to find some recent news on the website of stockbrokers Rizzo, Farrugia & Co. (who, unlike Air Malta, I highly respect), so I did the same thing and googled it:

Clicking on the top result, I ended up here:

Even if you haven’t been to their website before, it’s pretty clear to see that the formatting is a bit of a mess (and doesn’t fit the style of the rest of the site), the dates are in the future, and the download links take you back to the same page. The reason for this is likely the same as with Air Malta’s online check-in: they had some old page that they abandoned in favour of new pages, and forgot to remove it. Or maybe it wasn’t an old page, but one that came back from the future!

To conclude: in the last article about Air Malta’s website, I highlighted the importance of empathy and understanding the journey that the user takes. Here, we’ve seen how the journey doesn’t always start at the homepage, so it’s important to (a) make sure that pages are accessible and functional even when accessed from search engines, and (b) take down any obsolete pages so that they don’t confuse users.

This article is part of The Sorry State of the Web series.

The Sorry State of Air Malta’s Website

Air Malta is a real mess, but let’s face it: if you live in Malta, for some destinations, you don’t really have any choice but to fly with them. In this article, I’m not going to talk about Air Malta’s long-standing financial woes, their shady practice of overbookings, or their customer service (or lack thereof), none of which have improved over the years.

Instead, in the spirit of the Sorry State of the Web series, I’m going to talk about the simple journey of booking a flight, in the hope that we can learn a thing or two about user experience in the process.

Selecting a flight on AIr Malta’s homepage.

We start off by selecting a flight on Air Malta’s website, which has been redesigned in recent years and looks nice and modern. After selecting the departure and arrival airports and dates, we click on “Find flights”. So far so good.

Can’t Go Back

Oops! There’s no flight on one of the selected dates.

The dates I happened to choose at random included one with no flights available. Instead of picking one from the grid shown in the screenshot above, I preferred to go back and start over. Except that I couldn’t, because there’s some redirect in place that breaks the Back button and brings me back here every time.

Service Charge for No Refund

Okay, so I went back to the homepage and started over, selecting different airports and dates, and making it a one-way flight. This time, I have a choice of flights on the same day, and I can pick between three different fares:

Go Light is Non-Refundable (less €19 service fee).

It seems that Air Malta adapted to the uncertainty of COVID19 by providing varying levels of refundability to their flights depending on the option chosen. In each case, you pay a €19 service fee, including when the flight is non-refundable. Wait what?

Illegal Surnames

Your name is not allowed to have an apostrophe, and you can bring a weightless luggage. The name shown is fictional.

I have a long history of airlines and other websites either not accepting my surname or replacing apostrophes with the HTML entity '. Well, we’re in 2023 and Air Malta still thinks we’re not allowed to have apostrophes in our surnames, even though governments have been perfectly happy to accept them for centuries.

As I wrote in earlier editions of the Sorry State of the Web series, this bullshit is just a case of excessively restricted validation. Any concern about the use of apostrophes for SQL injection is easily dismissed by the fact that nowadays we have (and use… yeah, right) prepared statements.

In fact, I found that characters with diacritics (such as French accents or German umlauts) are also excluded from Air Malta’s definition of “alphabetic characters”:

Your surname can’t have accents either.

Fortunately, I’m not the only one experiencing the frustration of an unacceptable surname on a regular basis. It turns out there’s a “Your Name Is Invalid!” Twitter account which regularly posts similar episodes.

Weightless Luggage

If you look on the right-hand-side of the two screenshots above, you’ll notice that there’s a “1 x 0kg (included)” luggage listed. Perhaps it’s a new offer from Air Malta: bring your hand luggage on board for free, as long as it’s weightless!

Successful Payment

I’m supposed to be redirected… but I’m not!

After paying for the flight, I’m taken to this page with a browser title saying “APCO_AUTH_SUCCESS”. It’s got what seems to be XML in the URL’s querystring, presumably the type of SOAP message that people used to coordinate war efforts during the Crusades.

The page also says “Your payment was successful, you are now redirected to the Confirmation page”. No I’m not! The page doesn’t budge and I’m just stuck here.

Conclusion

It takes more than a fancy website to create a good user experience. Despite my aversion to Air Malta, this is also true of many other websites and web applications, especially in Malta where the bar is rather low.

The most important thing when developing a website or web application is to test it. Everything I’ve shown in this article is easily spotted simply by using the website, following a pretty ordinary journey through the booking process. All these things could have been caught by a developer or an Air Malta employee before reaching customers like me.

Another piece of advice around user experience is to have some empathy. Put yourself in the shoes of the customer. Is your obsession with alphabetic characters going to win any points with a customer simply trying to enter their name? Probably not.

Let’s learn something from this and try to improve. That way we can have happier customers and happier businesses.

The Weeping Web of January 2017 (Part 2)

This is a continuation of my previous article, “The Weeping Web of January 2017 (Part 1)“.  It describes more frustrating experiences with websites in 2017, a time when websites and web developers should have supposedly reached a certain level of maturity. Some of the entries here were contributed by other people, and others are from my own experiences.

EA Origin Store

When resetting your password on the EA Origin Store, the new password you choose has a maximum length validation. In this particular case, your password cannot be longer than 16 characters.

This is an incredibly stupid practice, for two reasons. First, we should be encouraging people to use longer passwords, because that makes them harder to brute force. Secondly, any system that is properly hashing its passwords (or, even better, using a hash algorithm plus work factor) will know that the result of a hashed password is a fixed length string (regardless of original input length), so this is not subject to any maximum column length in a database.

Untangled Media

If you scroll through the pictures of the team at Untangled Media, you’ll see that the last one is broken. Ironically, it seems that that person is responsible for content.

Needless to say, broken images give a feeling of neglect that is reminiscent of the mythical broken window from The Pragmatic Programmer.

Outlyer on Eventbrite

Another thing that makes sites (and any written content, for that matter) look unprofessional is typos. If you’re sending an SMS to a friend, a typo might be acceptable. If you’re organising an event to launch a product, three typos in the same sentence don’t give a very good impression.

BRND WGN

The first thing you see on the BRND WGN website is an animation taking up the whole screen, switching around frantically like it’s on drugs:

There are only three things you can do to learn more about what the site has to offer: play a video, click on (literally) a hamburger menu, or scroll down.

While I’m not sure this can be reasonably classified as mystery meat navigation, it does no favours to the visitor who has to take additional actions to navigate the site. While the hamburger icon looks like a cutesy joke, it looks silly on what is supposed to be a professional branding website, and hides the site’s navigation behind an additional layer of indirection.

This is a real pity, because if you scroll to the bottom, the site actually does have well laid out navigation links you can use to get around the site! These should really be the first thing a visitor sees; it makes no sense that they are hidden at the bottom of the page.

I also noticed that if you click on that hand in the bottom-right, you get this creepy overlay:

The only reasonable reaction to this is:

Image credit: taken from here.

Daphne Caruana Galizia

The controversial journalist and blogger who frequently clashes with public figures would probably have a bone to pick with her webmaster if she knew that the dashboard header for her WordPress site was visible for not-logged-in users while she was logged in last week:

While this won’t let anyone into the actual administrative facilities (because a login is still requested), there’s no denying that something went horribly wrong to make all this visible, including Daphne’s own username (not shown here for security reasons).

Identity Malta

The Identity Malta website has some real problems with its HTTPS configuration. In fact, Firefox is quick to complain:

This analysis from Chrome, sent in by a friend, shows why:

Ouch. It defeats the whole point of using SSL certificates if they are not trusted. But that’s not all. Running a security scan against the site reveals the following:

Not only is the certificate chain incomplete, but the scan identified a more serious vulnerability (obfuscated here). An institution dealing with identity should be a little more up to speed with modern security requirements than this.

Another (less important) issue is with the site’s rendering. As you load the page the first time or navigate from one page to another, you’ll notice something happening during the refresh, which is pretty much this:

There’s a list of items that gets rendered into a horizontally scrolling marquee-like section:

Unfortunately, this transformation is so slow that it is noticeable, making the page load look jerky at best.

Battle.net

I personally hate ‘security’ questions, because they’re insecure (see OWASP page, engadget summary of Google study, and Wired article). Nowadays, there’s the additional trend of making them mandatory for a password reset, so if you forget the answer (or intentionally provide a bogus one), you’re screwed and have to contact support.

If you don’t know the answer to the silly question, you can use a game’s activation code (haven’t tried that, might work) or contact support. Let’s see what happens when we choose the latter route.

Eventually you end up in a form where you have to fill in the details of your problem, and have to provide a government-issued photo ID (!). If you don’t do that, your ticket gets logged anyway, but ends up in a status of “Need Info”:

The idea is that you need to attach your photo ID to the ticket. However, when you click on the link, you are asked to login:

…and that doesn’t help when the problem was to login in the first place.

It’s really a pain to have to go through all this crap when it’s usually enough to just hit a “Reset Password” button that sends you an email with a time-limited reset link. Your email is something that only you (supposedly) have access to, so it identifies you. If someone else tried to reset your password, you just ignore the email, and your account is still fine. In case your email gets compromised, you typically can use a backup email address or two-factor authentication involving a mobile device to prove it’s really you.

Security questions are bullshit; they provide a weak link in the security chain and screw up user experience. Let’s get rid of them sooner rather than later.

Malta Health Department

It is a real pity when a government department’s website loses the trust supposedly provided by HTTPS just because it uses a few silly images that are delivered over HTTP.

The Economist

Remember how you could read any premium article on The Times of Malta by just going incognito in your browser (see “The Sorry State of the Web in 2016“)? Seems The Economist has the same problem.

Article limit…

…no article limit…

Remember, client-side validation is not enough!

On a Positive Note, Mystery Meat Navigation

I’m quite happy to see that mystery meat navigation (MMN) seems to be on its way out, no doubt due to the relatively recent trend of modern webites with simple and clear navigation. I haven’t been able to find any current examples of MMN in the first five pages of Google results when searching for local web design companies, so it’s clear that the local web design industry has made great strides compared to when I wrote the original MMN article.

Summary

This is the third article in which I’ve been pointing out problems in various websites, both local and international. After so many years of web development, designs might have become prettier but lots of websites are still struggling with fundamental issues that make them look amateurish, dysfunctional or even illegal.

Here are some tips to do things properly:

  • If you’re accepting sensitive data such as credit cards of passwords as input, you have to have fully-functional HTTPS.
  • Protect yourself against SQL injection by using parameterised queries or a proper ORM.
  • Test your website. Check various kinds of inputs, links, and images. Don’t waste people’s time or piss them off.
  • Use server-side validation as well as client-side validation.
  • Ensure you have proper backup mechanisms. Shit happens.

The Sorry State of the Web in 2016

When I republished my article “Bypassing a Login Form using SQL Injection“, it received a mixed reception. While some applauded the effort to raise awareness on bad coding practices leading to serious security vulnerabilities (which was the intent), others were shocked. Comments on the articles and on Reddit were basically variants of “That code sucks” (of course it sucks, that’s exactly what the article is trying to show) and “No one does these things any more”.

If you’ve had the luxury of believing that everybody writes proper code, then here are a few things (limited to my own personal experience) that I ran into during 2016, and in these first few days of 2017.

SQL Injection

I was filling in a form on the website of a local financial institution a few days ago, when I ran into this:

It was caused by the apostrophe in my surname which caused a syntax error in the SQL INSERT statement. The amateur who developed this website didn’t even bother to do basic validation, let alone parameterised queries which would also have safeguarded against SQL injection.

Airlines and Apostrophes

My experience with airlines is that they tend to go to the other extreme. In order to keep their websites safe, they simply ban apostrophes altogether. This is a pain in the ass when your surname actually has an apostrophe in it, and airlines stress the importance of entering your name and surname exactly as they show on your passport.

United Airlines, for instance, believe that the surname I was born with isn’t valid:

Virgin America, similarly, takes issue with my whole full name:

We’re in 2017. Even shitty Air Malta accepts apostrophes. All you need to do is use parameterised queries or a proper ORM. Using silly and generic error messages doesn’t help avoid customer frustration.

Plagiarism

Speaking of Air Malta, here’s a classic which they ripped off from some other US airline:

US Federal law? In Malta? Go home, Air Malta. You’re drunk.

Don’t Piss People Off

I’ve had a really terrible experience with booking domestic flights with US airlines. There is always some problem when it comes to paying online with a VISA.

United Airlines, for instance, only accepts payments from a specific set of countries. Malta is not on that list, and there is no “Other” option:

Delta gives a variety of billing-address-related errors depending on what you enter.

Southwest provides fields to cater for payments coming from outside the US:

And yet, you need to provide a US State, Zip Code and Billing Phone Number.

The worst offender, though, is Virgin America. While the overall experience of their AngularJS website is quite pleasant, paying online is a hair-ripping experience. If you choose a country where the State field does not apply (such as Malta, or the UK), a validation error fires in JavaScript (it doesn’t appear in the UI) and does not let you proceed:

It’s almost like the developers of this website didn’t quite test their form. Because developers normally do test their code, right? Right?

Well, when I reported the error to Virgin, and offered to provide a screenshot and steps to reproduce, the support representative gave me this canned bullshit:

“So sorry for the web error. Can recommend using one of our compatible browsers chrome or safari. Clearing your cookies and cache.  If no resolve please give reservations a ring [redacted] or international [redacted] you’ll hear a beep then silence while it transfers you to an available agent.  Thanks for reaching out.~”

I had to escalate the issue just so that I could send in the screenshot to forward to their IT department. Similarly, I was advised to complete the booking over the phone.

Over a month later, the issue is still there. It’s no wonder they want people to book via telephone. Aside from the international call rate, they charge a whooping $20 for a sales rep to book you over the phone.

Use SSL for Credit Card And Personal Details

In July 2016, I wanted to book a course from the local Lifelong Learning unit. I found that they were accepting credit card details via insecure HTTP. Ironically, free courses (not needing a credit card) could be booked over an HTTPS channel. When I told them about this, the response excuse was:

“This is the system any Maltese Government Department have been using for the past years.”

It is NOT okay (and it’s probably illegal) to transmit personal information, let alone credit card details, over an insecure channel. That information can be intercepted by unauthorised parties and leaked for the world to see, as has happened many times before thanks to large companies that didn’t take this stuff seriously.

To make matters worse, Lifelong Learning don’t accept cheques by post, so if you’re not comfortable booking online, you have to go medieval and bring yourself to their department to give them a cheque in person.

I couldn’t verify if this problem persists today, as the booking form was completely broken when I tried filling it a few days ago – I couldn’t even get to the payment screen.

Update 8th January 2017: I have now been able to reproduce this issue. The following screenshots are proof, using the Photo Editing course as an example. I nudged the form a little to the right so that it doesn’t get covered by the security popup.

Update 9th January 2017: Someone pointed out that the credit card form is actually an iframe served over HTTPS. That’s a little better, but:

  • From a security standpoint, it’s still not secure.
  • From a user experience perspective, a user has no way of knowing whether the page is secure, because the iframe’s URL is hidden and the browser does not show a padlock.
  • The other personal details (e.g. address, telephone, etc) are still transmitted unencrypted.

Do Server Side Validation

When Times of Malta launched their fancy new CMS-powered website a few years ago, they were the object of much derision. Many “premium” articles which were behind a paywall could be accessed simply by turning off JavaScript.

Nowadays, you can still access premium articles simply by opening an incognito window in your browser.

Let’s take a simple example. Here’s a letter I wrote to The Times a few years ago, which is protected by the paywall:


Back in 2014, I used to be able to access this article simply by opening it in an Incognito window. Let’s see if that still works in 2017:

Whoops, that’s the full text of the article, without paying anything!

Like those critics of my SQL injection article, you’d think that people today know that client-side validation is not enough, and that it is easy to bypass, and that its role is merely to provide better user experience and reduce unnecessary roundtrips to the server. The real validation still needs to be server-side.

Conclusion

Many people think we’re living in a golden age of technology. Web technology in particular is progressing at a breathtaking pace, and we have many more tools nowadays than we could possibly cope with.

And yet, we’re actually living in an age of terrible coding practices and ghastly user experience. With all that we’ve learned in over two decades of web development, we keep making the same silly mistakes over and over again.

I hope that those who bashed my SQL injection article will excuse me if I keep on writing beginner-level articles to raise awareness.