Brian's Blog Homepage
Protect your joomla password
Protect your joomla password

We are used to communication being secure

If we phone with our mobiles, we assume that only the people we dialled can hear us.

When transferring money we provide information via the bank's web page and we trust that nobody else can use that information to withdraw money from our accounts.

In both examples, the information is not sent plainly into the ether of cyberspace; there is some encryption first.

Even on holiday, when making a bank transfer from a sunny terrace with "free wifi", the transaction will probably be safe.

You see "https://" at the start of the URL and you see the padlock-icon in the status bar. This is protected; this is a SSL connection, with an official "certificate".

To be certain, you look if the URL is what you expected, but for the rest you just trust it.

And that won't give many problems in practice.

You're so used to everything being secure, that you might not always be alert if it is not the case. Some providers for instance don't offer a secure access to webmail or client-login. In itself that's not a problem, but it is not suitable for use on a public WiFi network.

The same applies to the administrator login in Joomla!, and many other web applications (including Drupal and WordPress). And of course: for FTP. So, beware if you want to edit your blog from your holiday address. Or if you just want to log in to manage your Joomla! site from a bar.

Sniffing

If you haven't got a secure connection, the username and password that you type in a normal Joomla! login-form are passed as plain text. The whole HTTP POST packet is sent over the network, labeled with the addressee. Each node in the network looks if it might be intended for him/her or possibly passes it on.

In a a WiFi network, the packet is offered to all computers in the network. Normally, the computer for which the package is not meant ignores that packet. However, there is software freely available that lets you see all network traffic - including all (!) information in the packet - at least when the data is not encrypted. Such programs are called "Sniffers" and Wireshark is a very well known example.

During "J and Beyond" I had one running and it's very interesting to see what is passing by ... also very scary, to see how easy it is for others to view your credentials.

SSL

If you want to secure the login to a Joomla! site, SSL (Secure Socket Layer) is the best method: then, in the address-bar it says "https://" and the padlock-icon is shown at the bottom in the status bar. To do so you must buy a certificate and create a secure access. Undoubtedly, your hosting-provider can tell you more.

Any user who logs in on that site does so via the encrypted connection. The encryption is done with a so-called public key: anybody can use it to encrypt the information. Decoding can only be done with a so-called private key, that remains on the server. You can compare a public key to an open padlock: anyone can use it to close something (by clicking the lock shut), but the lock can only be opened with the key (the private key).

However, SSL has two drawbacks: first, not all shared hosting providers allow it, and second, there are sometimes considerable costs. The costs of buying a certificate usually increases the costs of hosting. No problem if you're a bigger company or need it for an extensive e-commerce application, but for "home-garden-and-kitchen-use" a bit out of balance.

For private use you can create your own certificate, but then you get all sorts of nasty messages from the browser: that the site should probably not be trusted.

This could possibly be an option if you want to use SSL on a site of which you are the only user, but otherwise this is not really workable. There also is an open source version of SSL, OpenSSL, but I have no experience with it yet and I don't know how well it is supported both by hosting providers and by browsers.

New: an encryption extension for Joomla!-login

Recently a very useful extension has been released, with which the login can be encrypted in a similar way as is done with SSL: the Encryption Configuration extension by Ratmil Torres. This plugin also encrypts the login with a public key (using RSA).

This requires the bcmath library to be installed on the server (default since PHP 4.0.4), which is necessary for the math with large integers. If that is not available on your server, then the extension falls back on the simpler DES-encryption; not ideal, but certainly better than no encryption at all.

The extension is free (as in free beer), is translated in English, Spanish, German and Dutch, and can be downloaded from www.ratmilwebsolutions.com

Do not forget to write a review and vote on the JED, for I think Ratmil deserves a big round of applause for this extension.

Stay alert!

This encryption of passwords is a good protection against unwanted theft of your password on public networks. But as a user you must still be careful with your passwords when logging into a Joomla site: on the admin side, even encrypted passwords are first translated back to plain text and only then compared with the password in the database or elsewhere.

Someone with enough access-rights to the backend can always capture the passwords of everyone who logs in. This is also possible if you would for example log in with your Gmail account (an option included in the core distribution of Joomla!). We are working on a more secure login. Technical: by retrieving the "salt" of a particular user from the server with an Ajax call and add it to the client-side password to encrypt. But even then: how well you secure something, it always remains a matter of confidence when you log in somewhere.

So, don't use a single password on a variety of sites and beware of logging into a site with your Twitter account (unless it is using oAuth), your Gmail credentials and the like.

This coming summer you can safely log in at the Joomla!-site(s) you want to manage during your vacation: by installing Ratmil's extension. I will install it by default on all my Joomla sites from now on.

This is a guest blog post from Herman Peeren

Herman PeerenHerman Peeren has been making software for various platforms for a long time. He works with a designer together at Yepr, a small company specialized in custom design, applications and illustrations.

Last year, amongst others, they made Flash templates that work with a Joomla!-backend. Working on a presentation on Web services for Joomla! Herman hit the way Joomla! and other CMSs send passwords insecurely. He began working on a solution and came across the extension described here: it is a simple but good way to secure your Joomla!-login.

This blog post first appeared in Dutch at www.joomlacommunity.eu

J o o m l a !

Brian Teeman

Brian Teeman

Who is Brian?

As a co-founder of Joomla! and OpenSourceMatters Inc I've never been known to be lacking an opinion or being too afraid to express it.

Despite what some people might think I'm a shy and modest man who doesn't like to blow his own trumpet or boast about achievements.

Where is Brian?