Joomla! Discussion Forums

Reading through some posts here on the forums, it seems like lots of people are twigging onto the idea of using securely encrypted sites but that joomla acts a little crazy when you try to use https

I'm trying to get a secure form up (it needs to be fully encrypted, otherwise the external handler won't accept it!) and have changed my live_site property in configuration.php - the back end of the site seems to be fully encrypted but the front end isn't

If you have any experience with this stuff, can you please take a look at http://www.kendryden.ca and let me know what you think?

Cheers,

Qasim

Dear Qasim;
First - WOW - a website with more red than the one I'm working on! It leaves quite an impression. Nice job on that.

Second - what do you mean by changed live_site property in configuration.php? What is it now (vs before the change)- what is the exact code, and how exactly would that affect the form you are trying to make secure?  I think we need those details to better help you out.

I'm one of those "twigging onto the idea of using securely encrypted sites"... I have the entire thing secure, and as you've noted, there are some issues, but I don't think anything that can't be overcome....  In terms of the partial solutions - there were just too many hacks involved and I'm not a big fan of hacks.

The other thing you've probably noticed is that 'security' in joomla is somewhat of an orphan in Joomla.  Security has some friends (many would be an overstatement), but security is nobody's baby... 

It's clear that security has moved up the priority list and it's being worked on, so I'll try not to be too judgemental.  But it's hard not to.  I'm just DISTURBED by the lack of reads and replies some of these posts get. You'll get more reads/replies in a day if the subject says 'i have a problem' than in months if the subject has the word 'security' in it.  Security should be everyone's number 1 priority.
And security being one of the more interesting parts of web development - it's hard to comprehend that it's barely an afterthought for so many people.

Sorry to get off track... I'd really like to help out with the limited background that I have.  I'll poke around some more and let you know what I find.  It does appear that the approach of selectively securing a site makes a little more sense than the arguably overkill secure it all approach.

There are known deffeciencies within Joomla! 1.0.x series regards being able to use it under SSL and HTTPS
This mainly due to the way the site referencing is handled.

There is no easy way to fix this in 1.0.x series without hacking the core.

This is because some fundamental changes need to be made that go beyond the 'Stability' mandate of the 1.0.x series.



1.5.x addresses these problems, thus making running Joomla! under a secure environment a possibility 'out of the box'.

Thanks Rey for that info. So what hacks do we need to apply? Do you know of a site that has tutorials/hints on getting Joomla running under SSL and HTTPS?

thanks,

The post referenced below was the most encouraging thing that I found in that it confirms some of the conclusion that I came to. Also thanks for the references to the status of next release.  Helpful in knowing what's on the horizon.

http://forum.joomla.org/index.php/topic,53984.0.html

That pretty much says it.  The hacks are not for the faint of heart.  And inherent architecture/design issues are the reason why many are having trouble finding the 'definitive' answer.  It's known, it's being addressed and until then, there might not be an easy answer...

Make a decision on how much time you are willing to spend on work-arounds, and which features/modules/components you are willing to live without.  If a certain module isn't working as expected or at all, perhaps there is a substitute.

Meanwhile thanks to Stingrey and everyone else on developer teams, forums, etc. comitted to making Joomla a great choice for CMS.

By the way, is there anything that could give us a heads up how the new security feature(s) are designed and how it would work?
Thanks again.