Accessibility

Contribute Article

Author headshot: Donald S. Booth

Donald S. Booth

Contribute Technical Support Team Lead
Macromedia

Security Enhancements in Macromedia Contribute 2

The release of Macromedia Contribute 2 introduces enhancements that not only make connecting and editing faster, but make it more secure. This article describes how to use these new features and how Macromedia implemented them.

Secure FTP

Secure FTP (SFTP) is a widely used protocol that encrypts FTP login information. Standard FTP sends the login information in plain text, leaving that information susceptible to theft. SFTP encrypts this information before it sends it, protecting it from theft. Many universities and government agencies use SFTP exclusively for transferring files to and from servers.

SFTP was one of the top feature requests for Contribute 2, and we are happy to include it. SFTP encrypts the login ID, the password and the actual data being passed. Contribute supports SFTP over SSH2. Contribute only supports password-based authentication. (Other mechanisms such as "certificate-based" authentication or public key methods and Kerberos are not supported.)

Using SFTP in Contribute

Using SFTP in Contribute is very simple and is similar to setting up a regular FTP connection. Ask your system administrator if you are unsure of the server type being used.

The Contribute connection wizard.

Figure 1. The Contribute connection wizard.

To set up a secure FTP connection:

  1. Browse to the root of the site to be edited.
  2. Click the Make Connection button. Click Next.
  3. Enter your user name and e-mail address. Click Next.
  4. The URL for the site root should be filled in. If not, or if you want to choose a different page as the root, enter the URL or browse to it. Click Next.
  5. In the Connection Information Panel, choose SFTP from the pop-up menu.
  6. Enter the name of the SFTP server. (Use the form sftp.servername.com, or use whatever connection information the admin has issued.)
  7. Enter the login and password for the site. Click Next.
  8. Contribute will then verify the connection information. If needed, you will be prompted to select a user group to join. The administrator will have this information.

That's it! You are now ready to edit the site.

As with FTP, the actual security measures are taken within the program, so no additional information is needed to make a secure connection. Be warned, SFTP and FTP are not interchangeable. If setting up a connection to a regular FTP server, do not choose SFTP, or the connection will fail. Choosing an FTP connection to an SFTP server will also fail.

If you are using a connection key to an SFTP server, you only need the password to the key. Contribute takes care of the rest. (Some keys may ask for the SFTP login and password. This depends on how the administrator prepared the key. If the key does ask, the administrator will have the needed information.)

Password Protection

Another oft-requested security feature for Contribute was password protection. We are pleased to say that this is now a reality.

Contribute is a unique product in that it allows direct editing (and therefore access) to files on the web server. While making editing quick and convenient, direct access to the web server can be an open door to havoc. Any computer with Contribute 1.0 that is left unattended with Contribute running can give an unknown user access to the server. Now, with Contribute 2, you can set a password that is needed to edit with the program. It works like this:

In the Contribute Preferences (Edit > Preferences), there is now a Security option. Click Security to bring up this new security option.

The password security preference.

Figure 2. The password security preference.

There is a "Require Contribute startup password" checkbox in the security preferences. Check this box to enable the password fields.

Fill in the password field and then repeat to verify. Once you have completed this process, Contribute becomes more secure for the following reasons:

  1. This sets Contribute so that the password is required upon startup. Enter the password and Contribute will open, ready to edit.
  2. Contribute will further encrypt the stored passwords for established sites on the machine. This makes that information more secure.

Note that there are only five placeholder spaces displayed in the password fields. This prevents people from seeing the actual number of characters in the password. Enabling the password prevents unauthorized people from walking up to the machine, opening Contribute, and editing away.

As with all passwords, it is important that you remember the password. Contribute will give you three chances to get the password correct. After the third failed attempt, the program opens, but Contribute disables all of the sites. You cannot edit pages, but you can export or cancel any open drafts. Close and reopen the program to try the password again.

If the password is truly forgotten, the only way to recover is to remove all the sites. Removing sites is still allowed when the program is restricted from failed password entry.

Once you have discarded all the site connections, you can reset or disable the password. You then need to re-establish the site connections.

An administrator may choose to enforce the startup password for access to the site. He can add this requirement to connection keys. If the administrator chooses to force a startup password, the connection key announces this requirement, and clicking OK to that message opens the startup password dialog. Fill in the fields and click OK. The connection key then finishes the connection. If any single connection key requires the startup password, Contribute requires the password when you log on. If you do not enter the password correctly, Contribute will disable all the sites to further editing, not just the site that required the startup password.

As an additional safety feature, if, at any time, an administrator enables a startup password, Contribute further encrypts all the stored passwords for defined sites. This happens through a double encryption algorithm that increases the encryption for the site login passwords stored in the registry. This doesn't change the actual login passwords, only how they are stored locally. While Contribute 1.0 encrypted the passwords, Contribute 2 increased the security of this data.

Remember, the only way to disable the startup password is to remove all site connections and then uncheck the Security Preference checkbox. You then have to reset the site connections.

Admin with Startup Password

Contribute administrators can choose to send connection keys with or without requiring a startup password. When making a connection key, Contribute uses the current password setting of the administrator. If the administrator requires a startup password, the connection key requires one as well. If the admin does not, the key will not. This is the case when the administrator chooses “Use my current connection settings” in the initial key creation dialog. Choosing “No, I would like to customize…” will allow the option. Click Next and the Connection Information panel will appear. This is where you can set the custom connection information. Clicking the Advanced dialog brings up the option to require a startup password for this site.

The Advanced Connection Settings dialog.

Figure 3. The Advanced Connection Settings dialog.

The startup password is not established in this key, but will prompt the recipient of the key to establish the startup password, if he has not already.

Note: You can also set the Require Startup Password while making any regular connection by going to the Advanced dialog when entering the FTP or Local/Network information.

The security improvements in Contribute 2 will go a long way towards 1) Securing sites from hackers by encrypting the login names and passwords with the Secure FTP implementation and 2) securing websites by requiring a password to start Contribute. Plus, the FTP client has been entirely rebuilt and is much faster than in Contribute 1.0. The progress dialogs have also been expanded to give more feedback as to what Contribute is doing while downloading and publishing.

These improvements should allay the fears of many users who were wary of the security shortfalls in Contribute 1.0. These features should allow many more people to incorporate Contribute into their daily web workflow.

About the author

Donald started his career at Macromedia as a support technician for Authorware. From there he moved on to the Dreamweaver team where he served as a team lead. He is currently the Product Team Lead for Contribute tech support. He recently co-authored the Inside Dreamweaver MX from New Riders Publishing. Have some laughs and check out his photos at www.dbooth.net

 

Submit feedback on our tutorials, articles, and sample applications.