The implementation of the site registry of prohibited sites: again, twenty-five!
The other day I decided to see how “what they say so much” works. Let us leave behind the scenes arguments on the relevance and necessity of freshly baked legislation, focus on the implementation of one of the important links of the proposed system - the website of the unified register of prohibited resources and its work in terms of filing an application for entering a resource into this registry.
The site of a highly dubious Chinese online store, which still works with Russian-speaking users and is located on a domain in the “.ru” zone, was chosen as the victim. Let us omit the detailed description of the situation, I just hope the respectable public will take on faith that the victim has done more than enough to at least play the role of a guinea pig in this experiment. However, it is worth making a reservation that, formally, none of the categories of prohibited content is present on the site, at least I have not found any suicide or drug propaganda, or child pornography.
We proceed to the experiment, describe our actions, summarize the results and draw conclusions.
')
1. Check the possibility of an ordinary citizen adding an arbitrary resource to the unified state register of prohibited sources, using only the widely used means of access to the network.
2. Get an answer to your initiative.
3. Fix the detected problems if they appear.
4. Evaluate the performance of the system.
As an ordinary mortal, who only heard the ringing, but not knowing where he is, I turned to the Yandex search system, which, even without having finished listening to the end of the query I entered, guessed it with an exact hint. Once I got to the registry site, I didn’t have a problem finding the section for submitting an application to add a resource to the registry in the plain menu, although the dry bureaucratic name of the “Receive Messages” menu item is not very intuitively perceived as exactly what I needed, but among four this item was the only one with the semantic content implying feedback - it did not get confused.
Now a page with a dry text in “bla-bla-bla” (2600+ characters) and the desired form under it has opened in front of me. In general, such systems do not shine with usability delicacies, because the title of the form under the text , decorated as plain text of the page and only highlighted with boldness, and even with the text “Submit a message about a resource containing forbidden information” , certainly did not surprise me too much.
The obligatory field of the form “Website page pointer on the Internet (with the obligatory indication of the protocol)” really requires filling in the protocol, as well as the absence of preliminary spaces, which I accidentally pasted into the field before the value when copying the operating system from an external source .
Further research also showed that almost all checks on the values of the filled form fields for compliance with the required formats are either very superficial or absent as a class. No AJAX, sending the form results in a full page reload. And, of course, in the best traditions of bureaucracy - filling errors detected by the server software are presented strictly one for each attempt to send a request. And of course, the Turing test, even with the successful completion of it in the next unsuccessful iteration of the request, will have to be repeated again and again. On the positive side, it should be noted that the values of the filled fields are retained when the form is sent on an unsuccessful attempt.
Special attention was given to the "Additional Information" field, which requires a maximum length of a text value of 500 characters. Firstly, the requirement is presented in the form of an error, in accordance with the tradition voiced above, only strictly after an attempt to submit the form. Secondly, the attempt to enter 340 characters (92% consisting of Cyrillic characters) in this field also failed. Apparently, the length of the string value is checked for single-byte encodings, despite the fact that the site works with UTF-8 encoding. As a mere mortal, I do not suspect this and shorten the text until the moment when the form is finally accepted by the server.
In the end, I overcome all the difficulties and the result of filling out the form is swallowed by the server, which gives me a rather ordinary dry message and again the same form before me, but this time cleared from the result of filling. Stop! Where is the confirmation page? Well, to see what I entered, make sure everything is correct and confirm, or vice versa, find the error and go back to editing the input data? Well, I don’t seem to be doing such a pushover action - I am applying for blocking a resource for millions of people, but what if I’ve put a tick off there? Well, at least it was accepted.
We are waiting for the reaction, especially since I entered my email address in the data and set the checkbox “send a response by email. mail . " I remind you: my application is deliberately false, although I did not designate this directly.
Pass the day. The answer comes by e-mail:
Here is the curious subject of the letter, which looks like this:
And all because the letter encoding is again performed without taking into account the details of the folding of the header fields described in the RFC, and the features of this process for multibyte encodings:
Not everything went as smoothly as we would like, but nevertheless, the main task was completed: the submission of the request and the receipt of the answer occurred successfully. Moreover, my application was recognized as false and rejected.
The most interesting of course here. The captain concluded that the system works, of course, we have already done. The question is, can such an information product really be perceived to be of sufficient quality so that it can be used (potentially, of course) by users throughout the entire country? Is it really impossible to do without such hack-work (not the most terrible, I admit) in the implementation of the web-muzzle of this project?
PS: I ’ll immediately answer the question “why I didn’t tell developers about bugs”: yes, because apparently there’s just no obvious means for this on the site.
The site of a highly dubious Chinese online store, which still works with Russian-speaking users and is located on a domain in the “.ru” zone, was chosen as the victim. Let us omit the detailed description of the situation, I just hope the respectable public will take on faith that the victim has done more than enough to at least play the role of a guinea pig in this experiment. However, it is worth making a reservation that, formally, none of the categories of prohibited content is present on the site, at least I have not found any suicide or drug propaganda, or child pornography.
We proceed to the experiment, describe our actions, summarize the results and draw conclusions.
')
Objectives of the experiment
1. Check the possibility of an ordinary citizen adding an arbitrary resource to the unified state register of prohibited sources, using only the widely used means of access to the network.
2. Get an answer to your initiative.
3. Fix the detected problems if they appear.
4. Evaluate the performance of the system.
Experiment Description
As an ordinary mortal, who only heard the ringing, but not knowing where he is, I turned to the Yandex search system, which, even without having finished listening to the end of the query I entered, guessed it with an exact hint. Once I got to the registry site, I didn’t have a problem finding the section for submitting an application to add a resource to the registry in the plain menu, although the dry bureaucratic name of the “Receive Messages” menu item is not very intuitively perceived as exactly what I needed, but among four this item was the only one with the semantic content implying feedback - it did not get confused.
Now a page with a dry text in “bla-bla-bla” (2600+ characters) and the desired form under it has opened in front of me. In general, such systems do not shine with usability delicacies, because the title of the form under the text , decorated as plain text of the page and only highlighted with boldness, and even with the text “Submit a message about a resource containing forbidden information” , certainly did not surprise me too much.
The obligatory field of the form “Website page pointer on the Internet (with the obligatory indication of the protocol)” really requires filling in the protocol, as well as the absence of preliminary spaces, which I accidentally pasted into the field before the value when copying the operating system from an external source .
Further research also showed that almost all checks on the values of the filled form fields for compliance with the required formats are either very superficial or absent as a class. No AJAX, sending the form results in a full page reload. And, of course, in the best traditions of bureaucracy - filling errors detected by the server software are presented strictly one for each attempt to send a request. And of course, the Turing test, even with the successful completion of it in the next unsuccessful iteration of the request, will have to be repeated again and again. On the positive side, it should be noted that the values of the filled fields are retained when the form is sent on an unsuccessful attempt.
Special attention was given to the "Additional Information" field, which requires a maximum length of a text value of 500 characters. Firstly, the requirement is presented in the form of an error, in accordance with the tradition voiced above, only strictly after an attempt to submit the form. Secondly, the attempt to enter 340 characters (92% consisting of Cyrillic characters) in this field also failed. Apparently, the length of the string value is checked for single-byte encodings, despite the fact that the site works with UTF-8 encoding. As a mere mortal, I do not suspect this and shorten the text until the moment when the form is finally accepted by the server.
In the end, I overcome all the difficulties and the result of filling out the form is swallowed by the server, which gives me a rather ordinary dry message and again the same form before me, but this time cleared from the result of filling. Stop! Where is the confirmation page? Well, to see what I entered, make sure everything is correct and confirm, or vice versa, find the error and go back to editing the input data? Well, I don’t seem to be doing such a pushover action - I am applying for blocking a resource for millions of people, but what if I’ve put a tick off there? Well, at least it was accepted.
Experimental results
We are waiting for the reaction, especially since I entered my email address in the data and set the checkbox “send a response by email. mail . " I remind you: my application is deliberately false, although I did not designate this directly.
Pass the day. The answer comes by e-mail:
Hello!
Thank you for your active citizenship, however, we inform you that the address http: // ... .ru / specified in your address does not contain the information provided for by part 5 of article 15.1 of the Federal Law of July 27, 2006 N 149- “On information, information technology and information security. "
Respectfully,
FEDERAL SERVICE FOR SUPERVISION IN THE SPHERE OF COMMUNICATION, INFORMATION TECHNOLOGIES AND MASS COMMUNICATION.
Here is the curious subject of the letter, which looks like this:
ROSKOMNADZOR informs
And all because the letter encoding is again performed without taking into account the details of the folding of the header fields described in the RFC, and the features of this process for multibyte encodings:
Subject: =? Utf-8? B? 0KDQntCh0JrQntCc0J3QkNCU0JfQntCgINC40L3RhNC + 0YDQ? = =? utf-8? B? vNC40YDRg9C10YI =? =
Not everything went as smoothly as we would like, but nevertheless, the main task was completed: the submission of the request and the receipt of the answer occurred successfully. Moreover, my application was recognized as false and rejected.
findings
The most interesting of course here. The captain concluded that the system works, of course, we have already done. The question is, can such an information product really be perceived to be of sufficient quality so that it can be used (potentially, of course) by users throughout the entire country? Is it really impossible to do without such hack-work (not the most terrible, I admit) in the implementation of the web-muzzle of this project?
PS: I ’ll immediately answer the question “why I didn’t tell developers about bugs”: yes, because apparently there’s just no obvious means for this on the site.
PPS: This is an obvious question, to which maybe I haven’t carefully looked for an answer:
How much did such a technical solution cost the budget, read to us, the taxpayers?
Source: https://habr.com/ru/post/192592/
All Articles