	Developers
	Developers Home
	EditLive! for Java
	EditLive! for Windows
		System Requirements
		Getting Started
		Integration Samples
		Articles
		API Reference
	EditLive! for XML
	Discussion Forums

EditLive!, FTP and your server security

Summary

FTP or File Transfer Protocol is a protocol used to transfer information from one computer to another over a network connection. This article outlines how EditLive! uses FTP to transfer information, what security risks arise due to this use of FTP and what measures can be taken to reduce these risks.

More Information

How EditLive! uses FTP

Depending on the mode in which EditLive! is running, FTP is used to transfer information from the host server to the client which is running EditLive!. If HTMLString mode is being used, the only reason for FTP is to upload images from the local machine to the server, or access images directly from a remote server. If FTPStandard or FTPFileManager mode is being used, in addition, FTP is needed in order to transfer the files required for revision within EditLive!.

How FTP settings are defined in EditLive!

In order to establish an FTP connection between the server and the client, the following properties need to be set

Security issues

Several minor security issues arise by setting the properties in this manner. Due to the fact that the username and password are set in the hosting page's script, anybody who has access to this page can view the source and obtain this access information. This could lead to unauthorized access to the server involved.

Security solutions

In order to establish a connection to the server, the minimum settings that must be included are the FTP server name and port number. These, however, do not pose much of a threat to server security as these settings are often readily available.

In the case of setting the username and password there are several ways to minimize the security risk. Firstly, it should be considered that if a user has accessed this hosting page they might have already undergone some kind of user authentication to reach this point in the system. In this case including the username and password in the page script is not much of a threat.

In the case where no prior security checks have been made, these properties can be left out. When the hosting page reaches the point where it tries to establish a connection it will prompt the user for the username and password. In this situation, the only security risk is the interception of this information over the connection as this information is usually sent in clear text.

EditLive! 2.1 Service Pack 2 SDK also now comes with an Password Encryption Tool. This tool allows you to replace your FTP password with an encrypted string when setting the FTPPassword property. This stops users from being able to get your FTP login account details from the source code of your EditLive! pages. For more information on this tool please see the Password Encryption Tool documentation.

If all of the users are accessing the same information on the server (e.g. a collection of images) one solution is for the server administrator to set up a section of the server that contains all the information required. Access to this section can be via a generic username and password (such as "images" and "password"). In this way, users' access to the server is limited to only this particular section and if the username and password is compromised it does not represent a big security risk.

Lastly, the definition of the initial directory can also limit the user's access to the server. When the initial directory is set, the user only has access to the files in that directory and its sub-directories. This can be used to protect unauthorized viewing of other information on the server.

EditLive! and firewalls

EditLive! allows content to be accessed via FTP through firewalls. For more information relating to EditLive!'s firewall functionality please see the EditLive! Firewall Facility article.

Conclusion

EditLive! uses FTP to transfer information between the host's server and the EditLive! user's local machine. By utilizing this protocol there is always going to be a minimal security risk. Several options are available to eliminate these risks. Such approaches include:

using the Password Encryption tool to encrypt the FTP password included in the FTPPassword property;
allocating a specific area on the server for users;
having users undergo authentication prior to reaching the hosting page; or
having the server prompt for the username and password when the connection is established.

Ephox appreciate the importance of maintaining server security and are constantly striving to incorporate features to help promote this. These measures, working in conjunction with existing server defence mechanisms should minimize the possibility of any security breaches.