It's Friday - what a day to visit jfoobar!

 

Joomla! Security and unsafe Sex

Written by Wilco Jansen Sunday, 16 November 2008 13:41

Image of a guy hacking into a MacBook

I probably disappoint you when I say that this post is not about sex and certainly not about unsafe sex. At my presentation at the Swiss Joomla!day about Joomla! Security I made the comparison between unsafe sex and Joomla! Security.

I started my presentation with the question if Joomla! is safe followed by the question if the web in general can be seen as a safe place. Regarding the web it's pretty clear, companies make big money by providing all kinds of protections like virus scanners, firewalls and anti-spam tools. Often we see reports of sites being hacked or compromised, credit cards stolen or sites that have been used for denial of service attacks. So in general I think everyone will agree the web is not a safe place by default. The same is true for unsafe sex...if you don't take precautions, you can get a disease of which some can be pretty serious.

When we look at Joomla! the question if it's safe by default can be answered in several ways, but as with the Internet the default answer of course is no. As with every web solution this answer will be the same, but let's look at possible answers that can be given on the following question: “Is Joomla! Safe?”

Answer 1: By default the Joomla! code base is considered to be very safe. If there is a high-level security threat it will be fixed very fast. We don't pretend that it's safe tomorrow simply because the hackers also will try to do their dirty job.

Answer 2: By default the Joomla! code base is considered to be safe, but without a safe hosting environment even the most secure release of Joomla! will be compromised.

Answer 3: By default the Joomla! Code base is considered to be safe, but without a proper scan on the extensions you install your site can be compromised by the first unsafe extension you ever install on your site.

Get the picture? I probably can come up with even more answers and combinations, but that's not what this is all about. Web security fist of all is about awareness. Do you understand the possible risks your site is exposed to? Do you have an idea what precautions you can take to make your site as safe as possible? Do you have a (preferable simple) strategy to maintain the level of desired safety?

The debate around Joomla! Security is intensifying in our forums and blogs. In a lot of the situations we see that people who get compromised simply have not taken a basic set of precautions, or even worse simply don't care about setting up a basic line of defense.

In these situations we of course could counter their complains about Joomla! being insecure by asking if they also have unsafe sex, or maybe a bit less direct if they also run a virus scanner on their system. I assume that in most cases the people will answer “of course I protect my personal computer, that's logical, everyone knows that you should do that” or coming back to the sex example: “Of course we don't have unsafe sex”.

Why do we see so many examples of people that have not taken the proper precautions to protect their site? I did not do in depth research, but have some ideas:

  • You can install Joomla! In basically any environment that has a web server and MySQL running. The ease of use gives people the impression that all complexity of the web site protection is being taken care of automatically. Joomla! is a very popular content management system. Millions of people use it, but the turn side of this success is that the platform is also attractive to the army of hackers.
  • Joomla! Has several thousand extensions available and even more templates. Not every extension developer is a web professional, and is not familiar with best practices of building safe extensions. Sometimes the extensions are not being maintained anymore, and when a vulnerability is found it is not being fixed. End users or site administrator don't have the knowledge to set up a safe environment.
  • There are for sure more reasons that I can come up with, but the most important thing I got to realize is that in general people tend to not read the available information and just assume that certain topics are being covered for them. Maybe we should make Joomla! Less easy to use...

What I try to do at security presentation I give is explain to people why it's important, and what people can to to make their site more secure. I also hammer out what people can do if they get compromised and how the Joomla! Working groups operate. This all to give people a better understanding how they can protect their sexy Joomla! site from having unsafe sex.

In the upcoming weeks Jfoobar team will try to cover some of the topics that are important for better securing your Joomla! Site. Stay tuned!

About the author Wilco Jansen

Wilco was born in 1967 in the Netherlands where he still lives. After years of being a programmer Wilco has worked as project manager and IT manager. Discovered Joomla! when he was creating his own content management system, and never lost focus after then. Joined core team as development coordinator in May 2006 just helping to make Joomla! even better then it is already. Wilco has been deeply involved in the Joomla project as Google summer of code program manager 2006, 2007 and 2008 editions, co-organizer of the Google Highly Participation contest in 2008, first ever development coordinator, creator of the Joomla bug squad, member of the board of Open source matters, regular speaker on world wide conference advocating Joomla and much, much more. Wilco has a bachelor degree in business and information engineering and studied Master of Science knowledge and information engineering at the Middlesex University in London.

More about Wilco Jansen

Like it? Share it!

There are 5 comments posted.

Re: Joomla Login

# 1 - Posted by: Guest on 2009-11-10 00:10:51

Sorry if this is off topic but I am worried about my Joomla site's admin login info when I use free wifi or other public networks. Is there a way in joomla to not send my username and password in clear text? i do not have SSL.

# 2 - Posted by: Wilco Jansen on 2009-11-10 08:18:49

No, that is not possible. You need HTTPS activated if you want no clear username and password passed through the air...

# 3 - Posted by: Guest on 2009-11-11 00:16:52

Thanks for the reply.

After some struggle, I found this

http://codingmall.com/products-mainmenu-8/37-secure-login-plugin-without-ssl

looking nice, btw.

# 4 - Posted by: Wilco Jansen on 2009-11-11 07:45:51

Well that is interesting...in my opinnion even impossible, why? The username and password are put into a HTTP form (POST) and send unencrypted to the server, if you are not using HTTPS you are not safe, it is that simple in my opinnion unless there is some Javascript that encrypts the entries, but even then the algoritm used to encrypt can be intercepted very easy...just run HTTPS and you are fine, any self respecting provider will offer you some kind of service in this area, if not choose antoher provider ;-)

# 5 - Posted by: Marius van Rijnsoever on 2009-11-11 12:09:18

Some softwares already implement this (SMF for example). They use javascript to hash any clear text (using the current sessionid) before it is submitted to the software itself. That means that even if you do not use SSL, any username/password is not readible.

http://forum.joomla.org/viewtopic.php?f=500&t=306247&hilit=+password

Work has even been done on this already and a whitepaper submitted to Joomla. Not sure if it is being considered for the Joomla core

Thanks, Marius

Help for creating beautiful comments.

Enter Your Details:
Enter Your Comments:
I'm finished with the form Your form will be checked and you'll get a preview.
moovur promo

Blogging team

We have a team that works on the blogs presented on this site. Below you will find all present members who are actively working on blogs on this site.


Please contact us if you are interested in helping us out with the creation of the blogs.

Post translations

jfoobar has readers from all over the world and in many languages. If you create a translation of one of our posts and link to it than please let us know so we can add a link back to the translation at the original post.

Subscribe to the jfoobar newsfeed

JFoobar friends on Twitter

Follow JFoobar on twitter

Sponsored Links

Latest Comments

Aaron wrote:
2009-12-23 13:19:22 - Genius! Thanks, Wilco. I've been dying to take .
Posted in How to downlo .
Amy Stephen wrote:
2009-12-22 18:39:37 - Happy Birthday to one of Joomla!'s most noble - .
Posted in Mister Joomla .
Antonie de Wilde wrote:
2009-12-22 09:30:26 - Congrats Robin. Have a good day and watch out w .
Posted in Mister Joomla .
Robert wrote:
2009-12-22 08:51:02 - Happy Birthday Robin .
Posted in Mister Joomla .
Arno wrote:
2009-12-22 08:43:28 - Happy Birthday Robin, love your suit, you wife .
Posted in Mister Joomla .
Brian Teeman wrote:
2009-12-22 00:17:41 - Happy Birthday Robin, Welcome to the big four oh .
Posted in Mister Joomla .