Consulting
Musings
 Bio + Résumé Contact
Home >> Musings >> Blog >> Three-Click Monte

Blog:

Three-Click Monte
Posted 16-Feb-2009 by Robby Slaughter (@robbyslaughter)

These days, surfing the net requires a skeptical eye. We must be wary of phishers who set up fake copies of authentic websites to collect personal information. We shake our fists at linkjackers who steal traffic by creating content-free, ad-infested intermediary pages. We dodge spyware, trojans and viruses. For every useful, entertaining or provocative spectacle on the web there is a shadowy, vindictive counterpart bent on gleeful destruction. Unfortunately, there is one other problem, which is far more widespread and achingly horrific. Some websites are built by idiots.

Street Hustler playing Three Card Monte
You can be the mark, or you can be the one who knows the cards.

The Danger of Incompetence

Usually, if a professional screws up, we shrug off the experience. Get a bad haircut and your hair will grow back; get ripped off by a dishonest mechanic and you will never return to the same garage again. We can dismiss terrible service as a fluke or as our own failure to check up on the provider. Incompetence in others is usually frustrating, but not devastating.

Another Day in Tech

To pick a day at random, January 23, 2009, was full of serious failures. The website for the J. Crew clothing store crashed section-by-section. A major credit card payment clearinghouse, Heartland Payment Systems, admitted that several hundred thousand customer records were stolen in an recent attack. Pakstiani officials discovered a government website had been hacked while a mayoral candidate in Burlington, Vermont had his campaign website compromised. Pranksters posted a hoax story about the death of Apple CEO Steve Jobs by thwarting security at Wired magazine. And finally, Internet telephone service Packet 8 suffered from an unexpected outage when their website and entire network became suddenly unavailable. In all, January 23, 2009 was a normal day in the world of technology, but a horrifying moment for millions scattered around the globe.

However, developers of websites have the unique power to ruin lives through their own ignorance. Most users don’t know much about the web and often place a profound trust in online services and willingly offer crucial personal information. News stories constantly surface about accidental publishing of private records or insufficient security systems failing to stop cyber criminals from looting online vaults. We know we should stay away from companies that employ pathetic security measures, but there seems to be no obvious method for certifying websites as solidly built and reasonably secure. The consumer has no choice but to trust and hope.

The Three Click-Monte

In the same way a street hustler can separate a fool from his money in a game of three-card monte, a simple technique can allow you to broadly differentiate between websites designed by well-meaning amateurs and actual experts. I call it the Three-Click Monte, because it requires exactly three depressions of the left mouse button. Here are the steps:

  1. Locate a login form, and without entering a username or password, click the login button.
  2. You should be sent back to the same form with a snarky error message about an incorrect username/password. Ignore this warning and click the login button again.
  3. The patient login form should again remind you that the username/password is incorrect. Ignore this warning, but this time click the browser’s back button.

If a round of Three-Click Monte results in an error message, the website is likely the work of novices. A handful of button presses should not break an online system, certainly not one you should entrust with your sacred personal information. Give the mini browsers below a whirl and see which fake website fails the test:

Adventures in Failure

It’s actually pretty difficult to build a website that consistently flunks Three-Click Monte. Each of the major web browsers behave differently, and those which are especially forgiving tend to mask the mistakes of website designers. The mini browsers at left are just simplistic mockups, but the problem is still real and serious.

Expiration Explained

To the user, clicking on a hyperlink, a form button or the browser’s back button are all merely ways to navigate the web. But to the conscientious technologist, each has a distinct meaning. A link allows one to surf lightly, without making changes or commitments other than to experience something new. Pushing a button on a form, however, is a statement of intent. Users who fill out boxes and press “submit” want to change the state of the universe: make a purchase, upload a file, login to a service or delete a record. The browser’s back button, however, is a time machine. It’s a way to return to where you have been, to retrace your steps. Each possible path of your mouse has a unique purpose.

The first click in Three-Click Monte is done on a form button, not a regular hyperlink. You are advanced not to another humdrum webpage, but one built especially for you. The error page was constructed on the fly, in response to the incorrect username and password you previously entered.

The Scrappy Upstart

Firefox Icon The open-source browser Firefox is almost entirely immune to Three-Click Monte. This might sound like another victory for the free software movement, but I think it is really a ploy to woo more users by suppressing error messages. Firefox evades the issue raised by Three-Click Monte by pretending that the issue does not exist.

The second click is actually a red herring. To finish setting the trap, Three-Click Monte needs the user to wander away from the custom-generated result page. A repeat login attempt fulfills this requirement.

Hitting the back button is supposed to teleport the user into the recent past. In this case, that means returning to a webpage which was actually the result of a form submission. But would that page be different if that form was processed now? Should the browser resubmit the form data when you hit the back button? Has the generated page expired or can it be safely displayed? These puzzling quandaries are never considered by most web designers, indicating a lack of rigor and a potential incompetence.

Idempotence For Fun and Profit

The technical term for this phenomenon is a moderately complex but absolutely fundamental concept called idempotence. If we trained web designers like we do doctors or laywers, this would be one of those obscure terms covered in about the second year of graduate school and would be bandied around on primetime TV dramas starring impossibly beautiful technical wizards. But anyway, the five dollar word “idempotence” means that no matter how many additional times an action is repeated, it should not change the result. If you accidentally press the “Bill my Credit Card” button a second time, you do not expect to be doubled-charged. This is basic (but essential) stuff.

The Interview Question

Although it might fill this author’s daydreams, you cannot quiz potential candidates on their knowledge of Three-Click Monte. However, you should consider asking them about a common solution: the post/redirect/get model. This approach suggests that a web application should never present a generated webpage immediately after form processing. Instead, the system should redirect the user, just as if they had clicked on a regular link. This technique ensures the back button operates as expected and that the web developer is more conscientious.

Clarifying a Judgment Call

Elsewhere in this essay, I might have implied that websites which fail Three Click-Monte must have been constructed by degenerate morons. This isn’t entirely true. Every web developer, even those whose technical knowledge is limited to a single afternoon’s reading of Teach Yourself Internet Engineering in 24 Hours, has something to offer the world. No single test can definitively filter out the idiots. Unfortunately, the average web surfer cannot practically interview the programmers and designers behind each site they visit. A toolbelt full of checklists is the best defense against the unsavory and the half-baked.

The more serious problem of incompetence, however, still pervades the entire field of information technology. Most people working in software are not remotely concerned about methodology. Almost nobody worries about standards or optimization. Many programmers are hesitant even calling the creation of complex, important systems “engineering.” Everyday computer users have every right to feel helpless against the swirling forces of utility and malice. At least now, you can weed out some of the more dangerous sites with Three-Click Monte.

Further Reading:

Would you like to leave a comment? Read this.

###

Blog: Turning Left Against Traffic
The Tyranny of the Niche 
Thu 08-Apr
Current Project
Slaughter Development, LLC
Email List
signup@right.here
Low Volume, Spam Free