Hassle-free uploading to your web site

Some versions of Dreamweaver, for example, may add the path you specify for ftp uploads to the web address, so it’s vital to double check. An unnecessary /web in one of the paths, for instance, will mess up browser previews and cause havoc with any absolute links.

Transfer security

Now you should be clear on the difference between your site’s URL, the hostname of the computer that it’s saved on and the path to the site’s files. How about the uploading?

As I said, ftp is one of the most common solutions; it’s also a good one to avoid if you possibly can. Like some of the other early Internet protocols, with ftp your password is sent in clear text from client to server, which in itself is a security risk if someone’s using a network packet sniffer.

More serious is the fact that ftp has had rather a lot of security holes over recent years, in some of the popular versions of the ftp server software. Pop an ftp server on the Internet, and it will be scanned and probed frequently by people looking to exploit the vulnerabilities.

If they find one, you may end up with a site that’s defaced, or a system that’s compromised and used to help attack others.

If your web server uses ftp, my advice is to turn it off and use something else more secure. If you can’t turn it off, then you should ensure there’s a decent firewall configuration that only accepts connections to ftp from trusted IP addresses.

So, if ftp isn’t a reasonable solution for uploading pages, what is?

There are three alternatives you may come across. First up, Front Page extensions, which is a way of making your web server cope with the non-standard junk produced by some versions of Microsoft’s web-editing tools.

You can even get these extensions for Unix/Linux systems, but I wouldn’t recommend it. Code web pages to a proper standard instead, and avoid patching your Apache installation for Front Page; last time I did it, the security was so fiddly to get right I decided it was safer not to bother.

If you’re using Front Page, make sure you don’t rely on the extensions, and don’t use the built-in upload tool.

Webdav is a web-based file-sharing system, supported by some servers and web editors; it’s fairly simple to use, but chances are you won’t find it on that many web servers, and there aren’t any compelling reasons to use it.

The best solution, for most people, is to use scp/sftp. These are part of the ssh (secure shell) family – tools that provide complete end-to-end encrypted links between two systems, with secure login so passwords aren’t sent over the net in a readable form.

If your web-hosting provider doesn’t have ssh/scp turned on, then you should ask them to enable it; if you’re running your own server, use it in preference to Telnet and ftp, but remember that, like any server-side piece of software, you do need to make sure it’s up to date with security fixes.

Using scp and sftp

Some web-editing tools have support for sftp built in; for example, in Dreamweaver MX on the Mac, you use the tick box for ‘Use secure ftp’, while on Windows the option labelled ‘Use SSH encrypted secure login’ will use secure the connection, but you have to download additional software.

If you don’t have Sftp support built in to your web editor, or if you’re using Dreamweaver MX on Windows, you can download software; Putty is one of the most well known, from chiark.greenend.org.uk/~sgtatham/putty.

The putty.exe program provides you with an ssh facility, which Dreamweaver can use, while psftp.exe is a command-line tool for secure ftp, which works just like ordinary ftp but with a secure connection.