While I was talking to him, I was checking the shop he had problems with. I wouldn’t have bought from it. Here’s how I checked it:-

1. Check the Page

Open the front page of the site in one browser window and then use another window to get to a page that ought to be secure (the payment/checkout page is my usual one). Look at them both. Do either of them show any logos from well-known payment (Barclays, RBS, Protx, …) or security-checking services (thawte – who else?)? That’s not entirely reliable, but it’s usually a good sign because those companies attack people using their marks without permission.

Look at the payment/checkout page – does the address in the address bar start “https”? If so, is the padlock in the browser status bar (usually bottom right) closed? That usually means it’s encrypted with a Secure Sockets Layer (SSL) certificate.

2. Check the Certificate

Open the certificate details. In Firefox-based browsers, double-click the padlock, then click the “View Certificate” button. Then pick “Subject” in the second list box. Usually, it looks like this:-

Basic Certificate Screenshot

Some shops now use Extended Validation certificates and give a bit more information. Here’s one from a train company:-

Extended Validation Screenshot

3. Check the Registrations

By this point, the payment processing and actual transaction are looking pretty good. Finally, I check the recipient. Find the business details on the web shop. Does it include a geographic address? If it contains a company registration number, look it up on the Companies House website.

Then I find the business details on the domain names – you can use CoolWhois to look up domain names. If any of the addresses or numbers don’t match (Website, SSL Certificate, Whois), then I call them to ask why their website says they’re based in Bristol but their domain name is registered to Bolton. If they don’t answer messages, or – worse – the domain name says “Non-trading Individual” and the address has been omitted from the public listing, I give up on them and look for another shop. There’s no point securely paying someone that you can never reach if there’s a problem.

4. Buy Stuff and Check the Statements

All being well, I then buy stuff and check my credit card statement each month before I pay it. I think any web shop owner (or webmaster – I help some people with this sort of thing) should be taking care of the basics above. Do your shops measure up?

Despite the above checks, I can only remember not buying something online once in the last year. A couple of times, I’ve worked through the above steps and it’s changed which shop I bought from – and I’m pretty sure it saved me from losing £400 on one purchase.

For the technically-minded, Changes in Spam Levels this week Posted by simonw illustrates the level of disruption and may grow an interesting discussion from server managers – it seems the reduction is less than the 75% reported in some news services, but still significant.

This is great news for all good internet users. It’s disappointing if the spam hosting service won’t have to pay any of the costs they’ve inflicted on other computer users in some way. The only practical negative that I’ve noticed so far is that much of the stopped spam was pretty easy to identify and filter out, so the reduction in spam reaching my “unsure” mailbox hasn’t been anything like 50%. Still, less spam hitting the filters means less computer power used, which means less electricity and network data transfer used, which means lower costs for us. Yippee!

And finally, I smiled at this comment over on the WebmasterWorld discussion:-

“Our spam email has dropped so much in the past 2 days that I was beginning to wonder if there was something wrong with our email accounts.”

“Expat-like terms” – made available in a way that is freely sharable, modifiable and redistributable, similar to the Expat software package, whose terms are published at http://www.jclark.com/xml/copying.txt – this is often used as a clear, simple example for encouraging wide distribution of electronic resources (software).

“clandestine Google Analytics” – Google Analytics is a service from Google, Inc for tracking users through a website in various ways. I believe the Data Protection Act means that English websites should obtain informed consent from users by publishing a Privacy Policy on their site which discloses what the GA service will be used for and linking through to GA’s own Privacy Policy. Some websites attempt to run Google Analytics on users’ computers without explaining why and without any Privacy Policy. That is what I mean by “clandestine”.

“valid xhtml” – validating against the eXtensible HyperText Markup Language standards published by the World Wide Web Consortium (W3C) – the underlying language of the web. There is a test service provided at http://validator.w3.org/ and passing it is a key stepping stone towards making an accessible website. There’s not really such a thing as “invalid xhtml” – if it doesn’t pass validation, it’s not xhtml. So I guess I’m guilty of using a tautology sometimes – sorry about that.

Is it worthwhile knowing those three phrases? Are there other key technical phrases which you think site owners should know?

1. JavaScript or other crawler-unfriendly navigation that may impede indexing

This one is best avoided at design-time, by including Web Content Accessibility Guidelines 1.0 Level A in the design brief, but if you’ve ended up with JavaScript-based navigation on your site (check by doing “View Source” and searching for the code for your home page link and so on – if you can find it, then it’s probably not javascript) and it’s based on some template system, a webmaster can probably do a whole-site edit to put the navigation links in the page properly – or at least add a useful <noscript> tag.

2. Navigation that buries important pages within the site architecture.

The structure of the website’s files and the structure of the link menus do not need to match, so if there’s a page that you feel is important, get your webmaster to add it to the navigation links across the whole site.

3. Duplicate “pages” getting indexed under multiple URLs.

This usually happens for one of two reasons: one is inappropriately-parked domains, which is mistake 6 below and often fairly easy to fix; the other is a misbehaving web application, which you’ll need to get a programmer to fix.

You can do a simple test of your web application by starting at your homepage and following links to a particular page; then open a new browser window and try to reach the same page by different links (or a site search) and compare the address bars (the bit of your browser showing http://) – do they match? If not, you’ve got this problem.

4. No keyword phrase focus in the content or conversely, keyword phrase stuffing

You can use a good word-counter on the text to see how common different keywords and keyphrases, or use the “webmaster tools” section of some search engines to see what they’re focusing on.

Keyword-stuffing can be fairly easy to see. If you “View Source” on a page and there’s a large block of keyword-intensive text somewhere in it that doesn’t appear it when viewed in a browser, then it’s probably stuffing. Many sites regard stuffing as a sort of spam, so you don’t want to be found doing this.

To fix these problems, rewrite the page text appropriately.

5. An optimized home page, but that’s it

Repeat your checks from problem 4 on a few pages other than the home page to discover whether you suffer from this. Also, see whether your website statistics show search engine visitors arriving at a variety of different pages (these are sometimes called “Entry Page” statistics).

6. Additional domains owned by the company are not properly redirected

If you usually use .co.uk, but you also have a .com domain, try visiting a random page on your website, then click in the address bar and replace the .co.uk with .com – what happens?

If the page is Not Found, then your domains aren’t properly redirected and you need a Redirect adding to the second one.

If the page displays but the address doesn’t change itself back, then your domains are probably pointing at the same webspace but aren’t properly redirected, which will mean you’re probably making mistake 3 above. Usually, the simplest way to fix this is with a conditional redirect. On Apache webservers, you can add a .htaccess file containing something like:-

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.yourdomain\.co\.uk$ [NC]
RewriteRule (.*) http://www.yourdomain.co.uk/$1 [R=permanent,L]

That even works on BT Business web hosting, by the way. If it doesn’t work, try asking your web hosting provider to enable mod_rewrite for you or ask them to suggest how to achieve the same result.

The above list of mistakes was published on Search Engine Land last week. The correction methods are all things used by my webmaster cooperative.

The IoD has 52,000 members in the UK, many of them small to medium businesses who will be able to use this service at a reduced rate. The Microsoft Dynamics CRM offer will cost IoD members £35 per user, per month while non-members can subscribe for £45 per user, per month. There is an additional offer of one month’s service free if they sign up before June 2008.

For more information see IoD Hosted IT Services

“As the business environment becomes ever more competitive, our members need the tools and support to attract new customers while retaining their existing ones,” said Andrew Main Wilson, chief operating officer at the IoD.

The service will be hosted by Microsoft partner Rackspace.