Will Joomla! have SSL capabilities integrated?

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
lw-d
Joomla! Guru
Joomla! Guru
Posts: 980
Joined: Thu Aug 18, 2005 9:12 pm
Location: UK
Contact:

Will Joomla! have SSL capabilities integrated?

Post by lw-d » Mon Sep 12, 2005 6:04 am

Will Joomla! have SSL capabilities integrated?

How nice would it be to secure the backend via SSL with a simple option in the admin panel, maybe even at installation.

Maybe I am dreaming, hopefully not.

Lee

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by stingrey » Mon Sep 12, 2005 6:30 am

Yes J! will support SSL.
This functionality is already in the Joomla! 1.1 pre-alpha code.

It is a setting that will be configirable via the admin panel and set for individual menu items if necessary.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

lw-d
Joomla! Guru
Joomla! Guru
Posts: 980
Joined: Thu Aug 18, 2005 9:12 pm
Location: UK
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by lw-d » Mon Sep 12, 2005 6:43 am

Nice.

User avatar
exrace
Joomla! Explorer
Joomla! Explorer
Posts: 281
Joined: Tue Aug 23, 2005 4:55 am
Location: On my CBR 1000rr...

Re: Will Joomla! have SSL capabilities integrated?

Post by exrace » Mon Sep 12, 2005 11:30 am

That is good news!
Love, Live PHP.
Love, Live Joomla!
Super Sonic Man...do you want to buy a RockeTheme rocket? -Gary Jules

DogTags
Joomla! Intern
Joomla! Intern
Posts: 68
Joined: Fri Aug 19, 2005 11:12 pm

Re: Will Joomla! have SSL capabilities integrated?

Post by DogTags » Fri Sep 16, 2005 1:23 pm

stingrey wrote: It is a setting that will be configirable via the admin panel and set for individual menu items if necessary.
Outstanding!

Individual menu items - this will be a big help :D

Thanks :)

DominicWilson
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Fri Sep 16, 2005 11:07 am
Location: UK
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by DominicWilson » Sun Sep 18, 2005 10:24 am

Fantastic. Yet again, proof that this project is taking things seriously and fully worth of all the praise it gets.

I look forward to seeing this appear in v1.1

As an extension of that question, however, do you feel it will be extensible into the general login panel on the homepages as well ?

At it's worst level, if a user's 'view only' username/password is identical to their admin not (not really safe I know, but nonetheless) then logging in to view the site will send the auth data in clear, leaving the possibility for snooping ?

Even if we accept that the an admin will generate a standard non-admin 'client' user, to simulate what her/his visitors are going to see, there is still the possibility that standard registered user logins will get snooped. If that happens, both the information that user/pass combo is responsible for publishing and, particularly, any tie-ins to payment mechanisms for good/services become open to abuse.

Interested to have your feedback. Thanks.

User avatar
joomlahut
Joomla! Intern
Joomla! Intern
Posts: 85
Joined: Wed Aug 17, 2005 10:11 pm
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by joomlahut » Tue Sep 20, 2005 1:08 am

you don't have to publish the login form on the frontpage. you can set it up as a login component in a seperate page with SSL enabled otherwise you'll have to enable SSL for the whole site.
Michael Morris - BuyHTTP Internet Services
www.demoplaza.com : Flash Tutorials For Joomla
www.buyhttp.com : Joomla Hosting Specialists
Free Joomla Professional Installation + Free Joomla Template

DominicWilson
Joomla! Intern
Joomla! Intern
Posts: 87
Joined: Fri Sep 16, 2005 11:07 am
Location: UK
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by DominicWilson » Tue Sep 20, 2005 8:49 am

A valid point, thank-you.

I assume that the client/browser gets issued some form of token once the user is authenticated so that user/password data isn't passed back to the server with each request ?

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Will Joomla! have SSL capabilities integrated?

Post by friesengeist » Tue Sep 20, 2005 11:20 am

DominicWilson wrote: I assume that the client/browser gets issued some form of token once the user is authenticated so that user/password data isn't passed back to the server with each request?
Thats true. The password is stored in a cookie as a MD5 hash. The one-way encrypted password is sent back to your site for every request a user makes.
We may not be able to control the wind, but we can always adjust our sails

BrianB
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 152
Joined: Thu Sep 08, 2005 2:26 am

Re: Will Joomla! have SSL capabilities integrated?

Post by BrianB » Tue Sep 20, 2005 4:34 pm

Wow!  This is going to make my life so much easier!

I have one Mambo site that uses both http and https.  All logins goes through https, and all public traffic is http.  The only way I could get this done was to have two installs of Mambo (domain.com and sub.domain.com), both pointing to a single DB.  The files in each install had to be identical, except for the configuration.php file.  SSL was on the subdomain.  Login was a link directed to the sub domain.

Works well enough, but it takes up twice as much space, and any new add-ons / upgrades are twice the work.

lw-d
Joomla! Guru
Joomla! Guru
Posts: 980
Joined: Thu Aug 18, 2005 9:12 pm
Location: UK
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by lw-d » Tue Sep 20, 2005 4:49 pm

I have a new site that I need to develop with HTTPS, the site has to be developed in less than a month, it is only a small site so it shouldn't be a problem, except for the secure elements, they are causing me all kind of problems. I guess it is too much to ask for 1.1 to be out in less than a month.

Or is it?

Thanks
Lee

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Will Joomla! have SSL capabilities integrated?

Post by friesengeist » Tue Sep 20, 2005 8:53 pm

BrianB wrote: I have one Mambo site that uses both http and https.  All logins goes through https, and all public traffic is http.  The only way I could get this done was to have two installs of Mambo (domain.com and sub.domain.com), both pointing to a single DB.  The files in each install had to be identical, except for the configuration.php file.  SSL was on the subdomain.  Login was a link directed to the sub domain.
Here's how I do the SSL stuff with just one installation and only one configuration.php file:

I replaced the "$mosConfig_live_site"-line with the following in configuration.php and made the file unwriteable afterwards so that it can't be overwritten by Joomla!

Code: Select all

if ($_SERVER["SERVER_PORT"] == 443) {
  $mosConfig_live_site = 'https://www.mydomain.tld';
} else {
  $mosConfig_live_site = 'http://www.mydomain.tld';
}
In the menu I put a link that leads the user directly to one content item on the SSL-secured site, offering to log in there. Once he is on the secure site, he stays there unless clicking a link that leeds him back to the site on port 80. This happens for example when clicking on some links in the forum that have the full path of the "insecure" site in it. The users stays logged in on that site as well, as both sites use exactly the same database. The logincookie gets send back to both sites, since the domain part is exactly the same - only the protocol is different.

There is one problem though: if an user is on the page displaying the login form, he might just change the https to http in the url and is on the insecure site again. Then his password would be sent over the line in clear once when logging in.
We may not be able to control the wind, but we can always adjust our sails

DogTags
Joomla! Intern
Joomla! Intern
Posts: 68
Joined: Fri Aug 19, 2005 11:12 pm

Re: Will Joomla! have SSL capabilities integrated?

Post by DogTags » Wed Sep 28, 2005 12:25 pm

Is SSL working in Joomla? I wasn't sure if it was still kinda beta

Many thanks :)

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: Will Joomla! have SSL capabilities integrated?

Post by Tonie » Wed Sep 28, 2005 12:27 pm

If you take a look at the second post by Stingrey, you will see that it is implemented in 1.1 Alpha code. This basically means that it is not even Beta yet.

DogTags
Joomla! Intern
Joomla! Intern
Posts: 68
Joined: Fri Aug 19, 2005 11:12 pm

Re: Will Joomla! have SSL capabilities integrated?

Post by DogTags » Wed Sep 28, 2005 12:34 pm

Okay, thanks. I wasn't sure if anything had happened since rey's post.

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Will Joomla! have SSL capabilities integrated?

Post by emeyer » Fri Sep 30, 2005 4:07 am

friesengeist's solution looks close to what I'm thinking of. What if in fact there are two machines, one with HTTP content and one with HTTPS content. When users submit a registration form, and my manager approves it, they get back a new URL to log in to the secure server. The HTTP server just provides a form to request access. When they get on the HTTPS server it contains a superset of the public content so it looks the same.

Now there's no HTTP requests when a registered user moves around--it's all on a separate HTTP server.

But how do I easily maintain both sites? It seems the simplest solution is not to put anything but HTML on the external site (no database or PHP); and everytime the HTTPS site changes for stuff that should be on the public site, regenerate the HTML and copy it over. Then I just have to add some sort of script to detect changes to public content (look in .htaccess file--no problem)-- and then work out how to make the HTML pages to copy over (never done that before).

But a more elegent solution would be to extract stuff from the HTTPS site's database and insert it into the HTTP site's database only if it should be there, which would bre some sort of PHP script I guess, which means looking into the schema instead.

Two work days approved to finish this project. Do I balk?

User avatar
MystaMax
Joomla! Explorer
Joomla! Explorer
Posts: 333
Joined: Thu Aug 18, 2005 4:55 am
Location: Atlanta, GA USA
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by MystaMax » Fri Sep 30, 2005 4:28 am

Great stuff. This is one more reason why I'll be able to run joomla on our corp site! Right now, our network engineers and sys admins say no, b/c they say it needs to be secure.  I will be watching this very closely. 

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Will Joomla! have SSL capabilities integrated?

Post by emeyer » Fri Sep 30, 2005 5:13 am

I think I have an interim solution using freeware website crawler HTTrack (http://www.htttrack.com)

(1) Set up HTTtrack to crawl through pages on HTTPS server as guest user, running on HTTPS host.
(2) Copy files captured to HTTP server.

But this is not the best solution, obviously. I'd rather Joomla administrated the external HTTP server directly.

I started looking through the database schema but at first blush, there's no simple way to distinguish data based on privilege, at least as far as I can tell. Perhaps there's some keys or soemthing I didn't see.

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Will Joomla! have SSL capabilities integrated?

Post by emeyer » Fri Sep 30, 2005 6:31 am

...but the URLs contain PHP, so the script also has to do some sort of generic substitution operation in the resulting URLs. I sorta thought it couldn't be that simple!

User avatar
louis.landry
Joomla! Ace
Joomla! Ace
Posts: 1388
Joined: Wed Aug 17, 2005 11:03 pm
Location: San Jose, California
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by louis.landry » Fri Sep 30, 2005 6:55 am

easiest thing to do is have them both on the same machine and use an apache virtualhost for both the secure and unsecure sites pointing to the same document root

of course thats assuming you are using apache


Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Will Joomla! have SSL capabilities integrated?

Post by emeyer » Fri Sep 30, 2005 5:01 pm

I thought about that, but I stil don't see how that solvew the proble.

For example suppose this is a dating website. Girls are not going to be very happy to know some hacker could break into the database and find out their weight.

I have a new idea. Insead of trying to select just the open stuff, I just export everything from the secutre sever as if for standard backup. I grep the results for any records I know are sensitive and replace them with a blank string. Then I import the results into the open server. Not fast, but perhaps that works at least.

User avatar
louis.landry
Joomla! Ace
Joomla! Ace
Posts: 1388
Joined: Wed Aug 17, 2005 11:03 pm
Location: San Jose, California
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by louis.landry » Fri Sep 30, 2005 5:07 pm

that doesn't make sense to me.... maybe i'm looking at it wrong but if someone can access your database doesn't that speak to in unsecure status of the database server and not the document system?  The idea of SSL is to secure the information transfer between server and client, not to secure the files in a filesystem or the data in a database.

Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Will Joomla! have SSL capabilities integrated?

Post by emeyer » Fri Sep 30, 2005 5:26 pm

So then I need two Joomla installations, each with different database users to access the database. How do I propagate changes from one to the other?

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Will Joomla! have SSL capabilities integrated?

Post by emeyer » Fri Sep 30, 2005 7:34 pm

Sorry, that wasn't clear (not enough sleep). I can see making the database secure by setting up different databases for the HTTP and HTTPS sites. For example the HTTP site has user1 accessing database01, and the HTTPS site has superuser accessing database02. What would be the simplest way to determine which tables and rows in the parent site, database02, should propagate to the child site, database01?

Alternatively, if both users access database01, how do I set up which records are only visible to user1? As far as I can think, both approaches resolve to the same question, but the first approach is easier to implement.

User avatar
louis.landry
Joomla! Ace
Joomla! Ace
Posts: 1388
Joined: Wed Aug 17, 2005 11:03 pm
Location: San Jose, California
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by louis.landry » Fri Sep 30, 2005 11:21 pm

Why do you need separate users to access the database? That doesn't happen between the user and the server... it happens server to server.

All SSL encrypts is the information passed from user to server... ie form posts and actual rendered html.

You use the same database, and the same files... the only thing is that in apache you create two virtualhosts pointing to the same files.

What you seem to be trying to encrypt is something that happens within the server (database to apache information passing)


Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Will Joomla! have SSL capabilities integrated?

Post by emeyer » Sat Oct 01, 2005 2:39 am

Well, it was the transactions inside the server where I could see security vulnerabilities, but today my company decided its information didn't need this much protection for what it wants to publish initially, so by the time someone catres about SSL 1.1 may be ready and the whole issue goes away!! Harrya!

User avatar
louis.landry
Joomla! Ace
Joomla! Ace
Posts: 1388
Joined: Wed Aug 17, 2005 11:03 pm
Location: San Jose, California
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by louis.landry » Sat Oct 01, 2005 3:41 am

I doubt that the information passing you are looking to encrypt is something really vulnerable to attack.  At any rate the encryption wouldn't come from within a php script, it would happen  between the mysql extension for php and the mysql database itself.  Joomla cannot effect a change on that to my knowledge and in fact the SSL implementation in Joomla 1.1 has nothing to do with that.  The SSL implementation in Joomla 1.1 encrypts and secures the connection between the client and server, which is what is really vulnerable.


Louis
Joomla Platform Maintainer
A hacker does for love what others would not do for money.

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Will Joomla! have SSL capabilities integrated?

Post by emeyer » Sat Oct 01, 2005 5:03 pm

I understand exactly what you are saying, and I'm a little embarassed about this reply, but I think it should be said. Joomla is  open-source. and if we use public-domain plugins, there is no accountability for the source containing being backdoors in the PHP code that crept in from some malicious developer who got in to the Joomla community somehow. Any code in Joomla could access the database and send such information to a developer--it would be one line of code. We would have to go through every single line of code and check it isn't sending information elsewhere somehow. Certainly I have not seen any such behavior in anything I've browsed through so far, but it IS open source. In an imperfect world, there can always be wolves who have disguised themselves as angels so well, no one's noticed yet.

User avatar
guilliam
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4181
Joined: Thu Aug 18, 2005 10:27 am
Location: Sunny City Cebu, Philippines!
Contact:

Re: Will Joomla! have SSL capabilities integrated?

Post by guilliam » Wed Nov 23, 2005 10:11 am

* craving for J! 1.1 release. :) *
"I was one of those who wondered why people would pay so much $$$$ to do something that was so much fun!" -R. Harkrider, Fortran Code Engr.

http://www.joomlaconsultancy.net

User avatar
exrace
Joomla! Explorer
Joomla! Explorer
Posts: 281
Joined: Tue Aug 23, 2005 4:55 am
Location: On my CBR 1000rr...

Re: Will Joomla! have SSL capabilities integrated?

Post by exrace » Sun Nov 27, 2005 12:52 am

emeyer wrote: I think I have an interim solution using freeware website crawler HTTrack (http://www.htttrack.com)
:laugh: I clicked that link and had a good laugh...wonder if that Harsco Track Technologies company is doing website work now!
Love, Live PHP.
Love, Live Joomla!
Super Sonic Man...do you want to buy a RockeTheme rocket? -Gary Jules


Locked

Return to “Security - 1.0.x”