No, you’re not drunk. This is my first english post: i planned to start writing in english a while ago but have never done that, as my audience is mainly italian. But i’ve decided to try and see what happens.
I’ve already written about Volunia, before and after trying it out. I plan to go deeper in details in the next few days, but now I want to show you some “geeky” things i’ve noticed in this search engine. I’m a sys/net admin, you know, so i couldn’t avoid opening WireShark to check what Volunia was doing and sending trough my computer (yes, this is the first time i’m really concerned about my privacy).
The first point: altough all POST data (profile and so on) is sent trough HTTPS to secure.volunia.com, the chat system (both public and private) is using Jabber trough HTTP (chat.volunia.com).
Searches too are using GET trough HTTP. This could be a concern, so I hope a full-HTTPS version will be released in the next months (they’re years that Google is available over HTTPS).
Second point: do you see something strange in the following screenshots (click on it to see a larger version)?
Have you noticed that “wp-content”? It’s the default WordPress directory to store themes and uploads! That’s… strange. Looks like it’s only used for their news page (http://en.volunia.com/news/), but i’m not sure: why leave the WP login page open to the world? It’s just matter of some .htaccess lines.
I decided to check active connections using “netstat” and this way I noticed that… The Volunia team doesn’t know what PTR records are. All their IP are still using the default Tiscali reverse records. Not a real concern, right, but a proper reverse dns records use makes netadmin’s work of monitoring their networks simplier. You can check what your users are connected to with a click, configure your firewalls to always accept outgoing traffic for hosts whose PTR ends in *volunia.com, and so on.
Anyway, this forced me to further study DNS records. I discovered that, while the main Volunia website (www.volunia.com) is behind Level3’s CDN, other services aren’t.
Both chat.volunia.com and secure.volunia.com are located in Italy. Is this only for testing purposes or is the system set to be used by the public this way?
Latency could be another concern, as I said in my first post: Italy is not the best place to put servers that need to be reachable all over the world. But, let’s look at NS records:
Do you see that? Those are default NameCheap (or Enom)’s DNS servers. Why not use an in-house solution or a more professional service, like dyn.com or Route 53? Everything but not lowcost services, please: Route53 is only $6 per year!
Some other random notes:
Received: from [127.0.1.1] (pitps004.volunia.net [172.27.38.204]) by pitsrv03.volunia.net (8.13.8/8.13.8) with ESMTP id q19F4dJj031611 for <GiorgioBonfiglio>; Thu, 9 Feb 2012 16:04:39 +0100
Ouch. I tought they were planning to grow and become a little bigger than 172.16.0.0/20 :(
I’m also wondering how many Power Users have been given access to Volunia as of today. Marchiori spoke about 100.000 PU, but, Volunia’s statistics tell a different story. How many users are using Volunia if only 200 are in the homepage?
Finally, I STRONGLY hope this “.NET” is just a “fake” header to prevent sites from blocking their bot and that Volunia is not Windows-based. Windows is killing big websites.
18.104.22.168 - - [09/Feb/2012:11:59:02 +0100] "GET /volunia.txt HTTP/1.0" 200 33 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:22.214.171.124) Gecko/20100625 Firefox/3.6.6 ( .NET CLR 3.5.30729)"
I’ve reported to Volunia’s team everything the WordPress thing and asked to properly set PTR records.