Joomla! Discussion Forums

Will Joomla! have SSL capabilities integrated?

How nice would it be to secure the backend via SSL with a simple option in the admin panel, maybe even at installation.

Maybe I am dreaming, hopefully not.

Lee

Yes J! will support SSL.
This functionality is already in the Joomla! 1.1 pre-alpha code.

It is a setting that will be configirable via the admin panel and set for individual menu items if necessary.

Nice.

That is good news!

Outstanding!

Individual menu items - this will be a big help

Thanks

Fantastic. Yet again, proof that this project is taking things seriously and fully worth of all the praise it gets.

I look forward to seeing this appear in v1.1

As an extension of that question, however, do you feel it will be extensible into the general login panel on the homepages as well ?

At it's worst level, if a user's 'view only' username/password is identical to their admin not (not really safe I know, but nonetheless) then logging in to view the site will send the auth data in clear, leaving the possibility for snooping ?

Even if we accept that the an admin will generate a standard non-admin 'client' user, to simulate what her/his visitors are going to see, there is still the possibility that standard registered user logins will get snooped. If that happens, both the information that user/pass combo is responsible for publishing and, particularly, any tie-ins to payment mechanisms for good/services become open to abuse.

Interested to have your feedback. Thanks.

you don't have to publish the login form on the frontpage. you can set it up as a login component in a seperate page with SSL enabled otherwise you'll have to enable SSL for the whole site.

A valid point, thank-you.

I assume that the client/browser gets issued some form of token once the user is authenticated so that user/password data isn't passed back to the server with each request ?

Thats true. The password is stored in a cookie as a MD5 hash. The one-way encrypted password is sent back to your site for every request a user makes.

Wow!  This is going to make my life so much easier!

I have one Mambo site that uses both http and https.  All logins goes through https, and all public traffic is http.  The only way I could get this done was to have two installs of Mambo (domain.com and sub.domain.com), both pointing to a single DB.  The files in each install had to be identical, except for the configuration.php file.  SSL was on the subdomain.  Login was a link directed to the sub domain.

Works well enough, but it takes up twice as much space, and any new add-ons / upgrades are twice the work.

I have a new site that I need to develop with HTTPS, the site has to be developed in less than a month, it is only a small site so it shouldn't be a problem, except for the secure elements, they are causing me all kind of problems. I guess it is too much to ask for 1.1 to be out in less than a month.

Or is it?

Thanks
Lee

Here's how I do the SSL stuff with just one installation and only one configuration.php file:

I replaced the "$mosConfig_live_site"-line with the following in configuration.php and made the file unwriteable afterwards so that it can't be overwritten by Joomla!


In the menu I put a link that leads the user directly to one content item on the SSL-secured site, offering to log in there. Once he is on the secure site, he stays there unless clicking a link that leeds him back to the site on port 80. This happens for example when clicking on some links in the forum that have the full path of the "insecure" site in it. The users stays logged in on that site as well, as both sites use exactly the same database. The logincookie gets send back to both sites, since the domain part is exactly the same - only the protocol is different.

There is one problem though: if an user is on the page displaying the login form, he might just change the https to http in the url and is on the insecure site again. Then his password would be sent over the line in clear once when logging in.

Is SSL working in Joomla? I wasn't sure if it was still kinda beta

Many thanks

If you take a look at the second post by Stingrey, you will see that it is implemented in 1.1 Alpha code. This basically means that it is not even Beta yet.

Okay, thanks. I wasn't sure if anything had happened since rey's post.

friesengeist's solution looks close to what I'm thinking of. What if in fact there are two machines, one with HTTP content and one with HTTPS content. When users submit a registration form, and my manager approves it, they get back a new URL to log in to the secure server. The HTTP server just provides a form to request access. When they get on the HTTPS server it contains a superset of the public content so it looks the same.

Now there's no HTTP requests when a registered user moves around--it's all on a separate HTTP server.

But how do I easily maintain both sites? It seems the simplest solution is not to put anything but HTML on the external site (no database or PHP); and everytime the HTTPS site changes for stuff that should be on the public site, regenerate the HTML and copy it over. Then I just have to add some sort of script to detect changes to public content (look in .htaccess file--no problem)-- and then work out how to make the HTML pages to copy over (never done that before).

But a more elegent solution would be to extract stuff from the HTTPS site's database and insert it into the HTTP site's database only if it should be there, which would bre some sort of PHP script I guess, which means looking into the schema instead.

Two work days approved to finish this project. Do I balk?

Great stuff. This is one more reason why I'll be able to run joomla on our corp site! Right now, our network engineers and sys admins say no, b/c they say it needs to be secure.  I will be watching this very closely. 

I think I have an interim solution using freeware website crawler HTTrack (http://www.htttrack.com)

(1) Set up HTTtrack to crawl through pages on HTTPS server as guest user, running on HTTPS host.
(2) Copy files captured to HTTP server.

But this is not the best solution, obviously. I'd rather Joomla administrated the external HTTP server directly.

I started looking through the database schema but at first blush, there's no simple way to distinguish data based on privilege, at least as far as I can tell. Perhaps there's some keys or soemthing I didn't see.

...but the URLs contain PHP, so the script also has to do some sort of generic substitution operation in the resulting URLs. I sorta thought it couldn't be that simple!

easiest thing to do is have them both on the same machine and use an apache virtualhost for both the secure and unsecure sites pointing to the same document root

of course thats assuming you are using apache


Louis

I thought about that, but I stil don't see how that solvew the proble.

For example suppose this is a dating website. Girls are not going to be very happy to know some hacker could break into the database and find out their weight.

I have a new idea. Insead of trying to select just the open stuff, I just export everything from the secutre sever as if for standard backup. I grep the results for any records I know are sensitive and replace them with a blank string. Then I import the results into the open server. Not fast, but perhaps that works at least.

that doesn't make sense to me.... maybe i'm looking at it wrong but if someone can access your database doesn't that speak to in unsecure status of the database server and not the document system?  The idea of SSL is to secure the information transfer between server and client, not to secure the files in a filesystem or the data in a database.

Louis

So then I need two Joomla installations, each with different database users to access the database. How do I propagate changes from one to the other?

Sorry, that wasn't clear (not enough sleep). I can see making the database secure by setting up different databases for the HTTP and HTTPS sites. For example the HTTP site has user1 accessing database01, and the HTTPS site has superuser accessing database02. What would be the simplest way to determine which tables and rows in the parent site, database02, should propagate to the child site, database01?

Alternatively, if both users access database01, how do I set up which records are only visible to user1? As far as I can think, both approaches resolve to the same question, but the first approach is easier to implement.

Why do you need separate users to access the database? That doesn't happen between the user and the server... it happens server to server.

All SSL encrypts is the information passed from user to server... ie form posts and actual rendered html.

You use the same database, and the same files... the only thing is that in apache you create two virtualhosts pointing to the same files.

What you seem to be trying to encrypt is something that happens within the server (database to apache information passing)


Louis

Well, it was the transactions inside the server where I could see security vulnerabilities, but today my company decided its information didn't need this much protection for what it wants to publish initially, so by the time someone catres about SSL 1.1 may be ready and the whole issue goes away!! Harrya!

I doubt that the information passing you are looking to encrypt is something really vulnerable to attack.  At any rate the encryption wouldn't come from within a php script, it would happen  between the mysql extension for php and the mysql database itself.  Joomla cannot effect a change on that to my knowledge and in fact the SSL implementation in Joomla 1.1 has nothing to do with that.  The SSL implementation in Joomla 1.1 encrypts and secures the connection between the client and server, which is what is really vulnerable.


Louis

I understand exactly what you are saying, and I'm a little embarassed about this reply, but I think it should be said. Joomla is  open-source. and if we use public-domain plugins, there is no accountability for the source containing being backdoors in the PHP code that crept in from some malicious developer who got in to the Joomla community somehow. Any code in Joomla could access the database and send such information to a developer--it would be one line of code. We would have to go through every single line of code and check it isn't sending information elsewhere somehow. Certainly I have not seen any such behavior in anything I've browsed through so far, but it IS open source. In an imperfect world, there can always be wolves who have disguised themselves as angels so well, no one's noticed yet.

* craving for J! 1.1 release. *

I clicked that link and had a good laugh...wonder if that Harsco Track Technologies company is doing website work now!