Basecamp Initial Impressions & Extended Review
I have started to use the new project management system Basecamp from the fine folks at 37signals. I am very much impressed with the system, but I do have a couple of complaints. While usability may be their forte security certainly is not. I have a couple of suggestions for the developers, and a whole heap o' praise.
Ok. Let's get the praise out of the way first.
- Basecamp is free to run a single project with. this is nice. 10 projects will cost you 20 dollars a month. This is a completely nominal fee for such an excellent product.
- Every page has an extremely polished design and functionality. So many little touches just make this application feel nearly perfect.
- When you alter the 10th item on a list of 50, you see a little fade when you save your changes, orienting you on the page. For more info, see this Signal Vs. Noise post
- Each page is accompanied by collapsible help boxes that not only have great information, but are easy to get out of your way once you no longer need them.
- Each section has clear notes to an admin on what a client will and will not see. This is very helpful if you have inter-company communications that are not for client eyes, or are just not ready for showing something.
OK. That being said, there are a few problems.
- You may only assign someone to one of their company's projects. This is no good for contractors who need access to the client's project and do not have projects of their own, per se.
- There is no security for the XML and iCal feeds. Not smart. These feeds should be removed completely until this has been addressed (although I understand that it is a larger problem than basecamp). The following message is shown near each feed:
These feeds should definitely be password secured. iCal supports authentication via a pop-up while adding feeds, and most RSS newsreaders will support a URL similar to http://user:firstname.lastname@example.org/yourfile.rss. Users of NetNewsWire from Ranchero, see The NetNewsWire FAQ. A unique URL is only unique until someone's bot finishes cycling through all the options. There is no security through obscurity.
- A "forgot password" page should never give any information except to the legitimate user. View the following 2 pages:
Now, it may seem like a minor thing, but someone could harvest a lot of email addresses by plugging in values to the form. A better functional design is to ask the user for their email address and send their username to them that way.
- A "forgot password" link should never send a password out over a plaintext connection. Provide a hint to the user as a first line of defense. Provide a one-time URL as a second line of defense, with email confirmations at each step. This incorporates a second level of authentication (person X has access to person X's email account) and sends no information over plaintext or on to a page where it is visible by a would-be attacker.
- There is no SSL on the site, with the exception of the payment screens. SSL is not free, so I understand why people don't automatically tack SSL on to a site. However, user information is just as important as credit card information. One problem that Basecamp faces in this regard is that each client gets their own subdomain on one of a handful of basecamp URLs. To implement SSL for this setup would require getting an SSL certificate for each subdomain (cost prohibitive and unneccessary) or making a sentral login page for each main domain and using a cookie to store session ID information. This is more costly in terms of development time, but the extra security will be greatly appreciated by users.