Reading this reply in the "New hashing algorithms for Joomla" thread:I tought: why not increase security also for non SSL sites using a salted hash login method (SMD5)?During login, the password isis transferred in plain text, if not SSL is used.
I explain:You can use the one-time joomla token (there is a one-time token in any Joomla form no?) also as a salt to pass to a javascript md5 function.
So you can code the login form in a similar way:
<form onSubmit="saltPassword()"....
function saltPassword(){
....
inputboxpassword.value=js_md5('$token'+'--'+inputboxpassword.value) //this will also celan the DOM from the real password (can be done also without distrupting user input box obviously)....
}
this will transmit over the wire each time a different md5 password!!! unsniffable! (the salt is done with a random token so it is very difficult to reverse engineer the md5.)
Obyously in the server sithe validation you shuld have somethig like this:
"WHERE MD5(CONCAT('{$token}--',password))='$formReceivedMD5OnetimeSaltedHash'
i prefer to have this in the SQL to prevent also that also the data from the mysql server and the php joomla server goes in clear (no one uses mysql over SSL!!!!)my 2 cents.
Stefano.
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To post to this group, send an email to joomla-...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cm...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
The cookie based attack is also a problem though we do some extra
checks on the client to make the simplistic attack of just taking a
cookie a little more challenging, again the correct behaviour here is
to use SSL and secure cookies to make sure that can't happen.
Additionally we don't do a search where the password matches because
if you just do a WHERE clause on the generated password to find the
user (which is what your snippet appears to suggest), someone could
conceivably create an attack where they randomly supply passwords and
brute force their way into an admin account.
Finally there are already extensions out there that provide login
functionality including some which implement RSA (or at least they say
they do) which is a much better way of handling these things. If
someone wishes to have this functionality, they can deploy one of
these extensions. Otherwise I'd suggest using HTTPS.
Cheers,
Sam Moffatt
http://pasamio.id.au
This is partly incorrect.
When I have seen JS to secure plain passwords, quite commonly hashing
is done (can't decrypt/reverse that vs SSL that does allow
decryption). SMF uses this to prevent plain password transmission by
default, but can't be applied to Joomla without changing our hashing
methods (break backward compatibility).
There are some JS based SSL methods, but neither hashing and
encryption methods force storing of plain text passwords in the
database!
I did do some work towards getting a new JCrypt class into the core.
Many of the JS encrypt classes use outdated algorythms. I did find one
that has "proper strength SSL" encryption (and was GPL licensed), but
the problem was that there is no GPL licensed PHP decryption library
available. The option was to use PHP addon packages such as RSA_Crypt,
but that would mean it would not work on all servers (which is why I
stopped working on Jcrypt)
It is possible though, here is a free working example:
http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/11519
With regards to this patch for different password hashing methods. It
may benefit large commercial enterprise type clients, at the risk of
breaking some sites when they are moved hosts. However this solution
is for when hacker already gained full access to your sites,
downloaded your mysql tables and just got bored after destroying your
complete site. Now they want to get other user passwords and this
solution would take the bruteforce attack time from a year to a few
decades :)
It would be better to focus on preventing your whole site being
compromised. Prevention of plain password transmission would be a good
start. In addition PLEASE consider the following extension into the
Joomla 2.5:
http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/12731
It prevents 95% of Joomla attacks by blocking SQL injection and Local
File Inclusion of vulnerable 3rd party extension. I believe we have a
duty to protect joomla users from these basic hacks. They are common,
automated bots make heavy use of these (I get about 50 attempted
attackes on my site per day) and it is very easy to block. Wouldn't it
be great if we can stop 95% of attacks, by including a simple plugin?
Thanks, Marius
Its naive to say that SQL injections and LFI's are only in old
components. Look at the vulnerability list:
http://docs.joomla.org/Vulnerable_Extensions_List
Still lots of current extensions added, even from experienced and
reputable developers.. Guess what LFI and SQL injections are still the
common ones.
Sorry to hijack the thread slightly, I decided to reply when I saw the
misinformation that for some solutions cleartext passwords need to be
stored (can give examples of why not if needed).
It just comes down to the overall approach. You can say, no need to
secure x because someone can always hack with y. No need to prevent
SQL injection attacks, as they mainly for old components. No need to
prevent clear text password transmissions, as they can always get the
cookie, etc etc. That approach is flawed in my opinion. My preferred
option is to lock down as many methods by default.
I agree with you that SSL is essential and with official certificates
costing around 5 dollars, there is really no excuse and a much better
solution.
There are lots of softwares out there that add some default protection
against clearpassword sniffing. Its not all "protective", but makes
things one step harder.
There is no downside to blocking queries containing
../../../../../etc/password or obvious SQL injection attacks. Its
fantastic that you have better code to block these common attacks and
that you are willing to share these. The Joomla project often gets
blaimed for security flaws in 3rd part apps. Since they are common,
easy and they have affected extension from experienced developers, I
think it is our duty to add some default protection against them. This
will make the Joomla platform much more secure.
And for the record I agree with you that altering the type of hash
that is stored in the Joomla database has minimal effect on security
with downsides of being able the "break" sites,
Thanks, Marius
Wow that is completely uncalled for. I have never said anything to
insult you and just wanted to make a small contribution to the
discussion. If you know me I would never make any derogatory comments.
No need to go to personal attacks and mention "who you are"
Nicholas K. Dionysopoulos
Lead developer, AkeebaBackup.com
Sent from my iPhone
Please excuse my brevity
Can we get back to the discussion now?
The cause being developers using raw MySQL statements with unescaped data. The mere use of JFactory::getDbo()->quote($incomingData) is adequate to prevent the majority of SQLi attacks.
FWIW I am against SQLi protection in the core, but not because I do not consider it a real threat. On the contrary. I believe that if you add too many security features (of dubious efficiency) in the core you are making your users complacent. The end result is that they are reluctant to upgrade their components, as they THINK they are protected anyway. Little do they know... The question, therefore, is whether we want to add a feature which blocks legitimate requests (e.g. Forum posts discussing SQL), doesn't block all nefarious requests and makes our users complacent under a false sense of security.
This feature is not going to make it in the core. I had proposed a similar feature about a year ago and I was presented with more or less the same arguments. I came to believe that they are valid. You do need reporting, exceptions and a site owner with a working brain to have this feature perform as intended. This Is usually too much to ask from the average Joomla! User.
Nicholas K. Dionysopoulos
Lead developer, AkeebaBackup.com
Sent from my iPhone
Please excuse my brevity
I agree the critical, i'm also for the always https pratice (i worked in security and sso identity management), the only way to full security, but consider that most beginner users doesn't know how, and some can't configure ssl in their hosting, and sometimes if you have to use things like iframes to http contents using https causes the browser popup problem.
So i mean, https is the solution bu you should provide some basic security out of the box.
What's the percentage of joomla https sites ib the world over the joomla installations? most extension developers e comnerce sites are also in http and these users are the most techies. https is good but it requires a lot of time
I'm sorry for the raw example i gave but sure you can and must have md5 in db instead of plain:
Think to have this in js
Js md5(salt+md5(inputbox.value))
And
md5(concat($token,md5passfield) in sql
Yes in this way you cannot have salted hash in db but just hashes but if they compromise your db it's pribable they also have your php salt variable printed or destroyed your site as said the important of using hash in db is to protect user privacy
Ps to provide a basic security out of the box also against session hajacking (cookie sniffing) you can enable an ip check session mechanisn.
regarding mysql and ssl: some shared hosting providers doesnt have a good dmz and also some universities and schools, but yes them i was saying this just to let you know that im a fan of ssl and i think is the definitive solution
Ps a tip for you all: you dont have to buy ssl certs startssl.com gives you free ssl certuficates (is a CA validated by all browsers)
Best regards
Stefano
Written via android
I agree also this point so i dont pretent my request to be implemented was just a point of reflection. instead let's start to sensibilize over the need of ssl (add https as a suggested system requirement for joomla in the future?)
Users by default are complacent, rarely upgrade, always take the
easiest approach and only consider their security when they have
already been hacked. No actually in real life I am an optimist, but am
a pessimist on this issue because of some studies and real life
experience. I tried to find an article that showed the distribution of
Joomla versions on the www, but that website has since gone (Jfoobar).
It was done by a previous Joomla core developer that assumable wrote a
crawler that detected versions of Joomla sites through google. Quite
cleverly done, he could even tell the exact joomla version of each
website. From memory 90+% of Joomla websites where outdated and only a
few ran the latest version. Interestingly this was in the time where a
major security flaw was discovered in Joomla 1.5.5 and months after
discovery lots of sites where still running vulnerable versions. Why
do I bring this up? People do not even keep their Joomla version
itself up to date, guess what percentage of Joomla installation run
the latest versions of their components (very few in my opinion).
>On the contrary. I believe that if you add too many security features (of dubious efficiency) in the core you
> are making your users complacent. The end result is that they are reluctant to upgrade their components,
> as they THINK they are protected anyway.
People that think about security always upgrade immediately. The
problem is that 99% do no think about security setup their site, do
not check their installed components for updates, or check the offical
list of vulnerable extension or just forget about upgrading. You are
not going to make people complacent by adding some basic security
features to the core, as security minded people implement "best
practice" regardless of what is in the core.
The second point I want to illustrate is the point "people should use
SSL, everything else is suboptimal and should not be implemented".
Unfortunately 99% of Joomla sites do not use SSL and are therefore
theoretically vulnerable to sniffing hacks. Take as an example all the
joomla.org related sites. I just checked most of their login forms and
could not find a single one that uses SSL (yes even the administrator
login pages that I could find). If even joomla.org does not use SSL
for logins, why should basic Joomla users with minimal knowledge care
about implementing SSL. Although a congratulation is in order to
yourself for being the elite 1% of joomla users that runs SSL by
default!
Let me summarise the scenario for everybody. Users are generally lazy
when it comes to security and don;t implement the required security
measures (I agree with you that in my experience the majority of
server hacks are due to non-joomla vulnerabilities, but that is a
story for another day). On the other hand we know that Joomla 3rd
party vulnerabilities are common, are still happening, can happen
regardless of the experience of the extension developers, are easy to
exploit and are being exploited. We also know that the majority of
these hacks are due to mysql injection or local file inclusion. In
addition people rarely use SSL to protect their passwords and cookies.
I again agree with you that just because of the above scenario that NO
half hearted solutions need to be implemented into the core. But we
have two options here (feel free to think of more if you can)
1) Do nothing, as people should be responsible for their own site security
2) Accept that because Joomla is so accessible for relatively
inexperienced users and that exploits are common, that some basic
protection is wanted.
Ok lets get back to what we could achieve and I will therefore also
come back to what started this thread (which made me realise that I
partly confused this thread with the "type of hashing of database"
thread that is going on concurrenty. oops sorry) :P
1. Hashing passwords before submission.
Hashing of passwords using javascript on the client side to prevent
transmission of plaintext password through http is possible. Even
without storing plaintext passwords in the database itself this is
possible, just look at softwares like SMF (will skip on the details to
stop this reply getting even longer). However this is not possible to
implement for Joomla due to hashing being a one way street and such a
solution would break all backward compatibility.
2. Encrypting passwords before submission.
Most javascript libraries implement RSA encryption using old
standards. When I was looking at implementing a JCrypt class for
Joomla I did manage to find one GPL javascript encryption library that
had proper handling of padding to prevent adaptive chosen ciphertext
attacks (too complicated to go into detail in for this post). However,
at that time no GPL library was available to do a proper decrypt on
the server side. However cryptographic libraries that can be installed
with the PHP core could do this, but may not be installed on all
servers. Since I preferred a solution that worked on all servers, I
stopped that work. But we can add this JCrypt library which can
provide default "plain password transmission" protection if these
libraries are installed (normal joomla behaviour if the libraries are
absent). Yes there are still issues with "cookie sniffing", but a
hacker having a plain text password is worse.
3. Preventing SQL injections and LFI's
Agreed that blocking requests can result in disruptions of valid
submissions (like when someone is discussing SQL injections in a
joomla forum components). However the key is not to "block" requests
but to "sanitise" the global variables. Worst case scenario with the
"sanitise" option is that the "SQL attack string" is not formatted
correctly (and therefore the forum post won;t show the correct SQL
attack syntax correctly). The post action will still work, as the
request is not blocked. If someone has a hacking forum, it can add the
forum component to the exclusion parameter field (and the forum
component input will not be sanitised) or a well aware security expert
can just unpublish this proposed sanitising plugin. Then of course
there will be a long discussion on which regex should be used to
detect attacks. There will not be a perfect regex for sure, but it
will be able to stop the bulk of attacks.
Well this turned out to be a way longer response that I had
anticipated. Since I am not in the decision making process of what
goes into the core, I guess my opinions are irrelevant :). But there
are certainly things that we can do. The Joomla project sometimes gets
marked down on security which is not its fault (a badly designed 3rd
party component is). But wouldn't it be nice to add some basic
protections for the 99% of the less informed users. As long as it is
implemented correctly, it will add to the reputation of Joomla and
other softwares have demonstrated that these solutions can be
implemented in the core successfully.
Thanks, Marius
> 3. Preventing SQL injections and LFI's
> Agreed that blocking requests can result in disruptions of valid
> submissions (like when someone is discussing SQL injections in a
> joomla forum components). However the key is not to "block" requests
> but to "sanitise" the global variables.
This doesn't solve the problem of stripping out valid content. You
cannot tell from looking at the request how the data is going to be
used. SQL can look like normal content. The key is to sanitise data
when it's used. No security training I've ever been to advocates
sanitising data before you know how or where it's going to be used.
Better to spend time crafting regex's to scan files to defective code
and putting them on the VEL than to waste CPU on every request "just
in case".
> Since I am not in the decision making process of what
> goes into the core, I guess my opinions are irrelevant :).
Your opinion is relevant but you need to realise that the decision
making process is not about what your opinion is, it's about what code
you've contributed.
> But there
> are certainly things that we can do. The Joomla project sometimes gets
> marked down on security which is not its fault (a badly designed 3rd
> party component is). But wouldn't it be nice to add some basic
> protections for the 99% of the less informed users.
Yes, but it's a trade off and no substitute for trying to keep sloppy
coders off the streets.
> As long as it is
> implemented correctly, it will add to the reputation of Joomla and
> other softwares have demonstrated that these solutions can be
> implemented in the core successfully.
That's not necessarily correct because of the reasons Nic, I and
others have cited. All you do is shift one problem (security) to
another arena (support for glitchy false positives and lower
performance) and you still have the time bomb of sloppy code on your
site.
Regards,
Andrew Eddie
http://learn.theartofjoomla.com - training videos for Joomla 1.7 developers
>
> Thanks, Marius
Yes, but it's a trade off and no substitute for trying to keep sloppy
coders off the streets.
1. Hashing passwords before submission.
Hashing of passwords using javascript on the client side to prevent
transmission of plaintext password through http is possible...
. However this is not possible to
implement for Joomla due to hashing being a one way street and such a
solution would break all backward compatibility.
Yes there are still issues with "cookie sniffing", but a
hacker having a plain text password is worse.
Some services make secondary checks against the identity of the user. For example, a web server could check with each request made that the IP address of the user matched the one last used during that session. This does not prevent attacks by somebody who shares the same IP address, however, and could be frustrating for users whose IP address is liable to change during a browsing session.
3. Preventing SQL injections and LFI's
> Agreed that blocking requests can result in disruptions of valid
> submissions (like when someone is discussing SQL injections in a
> joomla forum components). However the key is not to "block" requests
> but to "sanitise" the global variables.
I'll take a note out of Nic's book and ask why are you putting words
into my mouth :) But to that comment, yes, some Joomla extension
developer are sloppy coders and in a perfect world it would be great
if the JED had the ability to "sniff" them out (pun intended).
> No, SSL is hard to configure well, if you don't think so please put it as a
> requirement of the platform in the joomla installation code!
Well yes and no, but my point was ensuring that Joomla is rock solid
when it can be used (which, at the very least, is any site with a
shopping cart).
No doubt some of these ideas have been considered in the past and I am
sensing a slight reluctance to re-evaluate some of these ideas. You
bring up a couple of valid potential issues:
1. Performance.
Sanitation of variables with 2 regex' would make an insignificant
change to server load.
2. False positives
Sanitation of variables can be implemented with minimal disruptions.
For one it would not affect the Joomla CMS itself (you would exclude
joomla core components) and would also not involve the backend (hacker
can do easier things if a person was foolish enough to give him
access). This means that any new workload generated would be at the
address of the 3rd party developers. Not to insult anybody but with
the new release cycle every joomla release breaks backward
compatibility. This is actually a good thing, as this allows the core
to improve much faster and prevents massive changes in a single
release like Joomla 1.6. Joomla third party developers have had a lot
of curve balls thrown at them recently and if properly implemented
this will only be a very minor issues. For instance during an install
a component that needs to be excluded from global var sanitation would
just add its name to the sanitiser plugin exclusion parameter.
3. False negatives
This is really the sticking point of a proposal to do this. There is
no point implementing a regex filter, if hackers can bypass it by
changing UNION SELECT to UnIoN SeLeCt. There has been lots of work
done by other people on good hacking detection regex's. I would be
more than happy to go into more detail. But that would be irrelevant
if the Joomla Core team are not going to consider adding new security
features regardless.
Currently hacking Joomla is like shooting fish in a barrel with a
shotgun. And this has got nothing to do with core vulnerabilities or
script kiddies that waste time with automated attacks looking for
mambo era components. And you can see the appeal of shooting with a
shotgun to a 14 year old hacker. I don't want to give away and tips
that can get sites hacks, but here is a short summary to illustrate my
point. Hacker A wants to deface some Joomla sites and monitors sites
that conveniently report new Joomla vulnerabilities. He then uses
google using a simple search query to not only find Joomla sites, but
a detailed list of the x thousands of sites that run the vulnerable
joomla component. Then it is just a matter of running a simple hack
script and if that Joomla site has got no additional protection,
someone will spend a week trying to get their Joomla site back up.
I wish it was as simple as blaming a few bad coders, as the lists
shows it can happen to experienced developers. Even if only a dozen of
sites run a dodgy component, google will show up exactly who they are.
And joomla gets a bad reputation with those users, despite Joomla
itself having nothing to do with it. (they just say "I installed
Joomla and get hacked every time, Joomla sucks")
The aim of these discussions is not to stop all Joomla related hack,
but work on a way we can replace the "shotgun" of a hacker with a
regular "fishing rod"
What is your opinion on a JCrypt class Andrew? It could be easily
implemented to prevent plaintext passwords submission by default (even
joomla.org would benefit from this feature as it currently submits all
passwords as plaintext over http). If PHP has decryption libraries
available it would load additional javascript file. This would encrypt
the password with the public key, store it in a hidden encrypted
password field and erase the plaintext password. Then on the backend
if a encrypted password string is set, it would decrypt with the
private keyand login would run as normal. If Joomla has not got access
to decryption libraries, login would proceed as normal (no added
javascript loaded). The JCrypt class I started working on also takes
care of private/public key generation, encrypt/decrypt, etc. I stopped
work on it, because it would not be enabled on 100% of Joomla installs
by default (which used to be a deal breaker regardless). But it seems
from the new minimum requirements for the latest Joomla version that
this is becomming less of an issue.
Of course I am picking the worst time to bring this up again, as the
boat has departed for new features in Joomla 2.5 and time is required
by everybody to ensure a smooth release.
Thanks, Marius
Just need a bit of time to pull up some old posts and will reply in
detail later today.
Thanks, Marius
On 17 December 2011 12:58, Marius van Rijnsoever <mari...@gmail.com> wrote:
> Thanks for the reply Andrew. I have contributed code and lots of time
> to the Joomla project in the past. But moved onto other projects as it
> wasn't the best timing for Joomla to accept my help for various
> reasons. I am happy to help out again, but want to discuss ideas first
> avoid wasting everybody time (including mine) with additions that are
> not required/wanted.
Sounds like a plan.
> 1. Performance.
> Sanitation of variables with 2 regex' would make an insignificant
> change to server load.
See Nic's reply for holes in the theory. The problem I see is the
hackers will crack the regex, so you have to add another, and then
close another hole, and fix a crack, and it spirals out of control.
Maybe I've got blinkers on but I can't get past the fact that you
aren't dealing installing bad code on your server as a preventable
event.
> 2. False positives
> Not to insult anybody but with
> the new release cycle every joomla release breaks backward
> compatibility. This is actually a good thing, as this allows the core
> to improve much faster and prevents massive changes in a single
> release like Joomla 1.6.
That's not correct. 1.7 didn't break backward compatibility (ok,
there was one case with the query class where developers didn't head
out instructions), nor will 2.5. Every third release (18 months of
time) allows for the potential to break backward compatibility but
that does not necessarily mean it will happen (the next window for
this is 3.0 in July-ish 2012 should the community wish to take
advantage of it). Also note that breaking backward compatibility is
different from a deprecation strategy which you can find in both the
CMS and the Platform. I'm not sure where you got the idea that every
release under the new system breaks backward compatibility.
> Joomla third party developers have had a lot
> of curve balls thrown at them recently and if properly implemented
> this will only be a very minor issues.
Recently as in the release of 1.6 (over 11 months ago now) or are you
thinking of something else?
> For instance during an install
> a component that needs to be excluded from global var sanitation would
> just add its name to the sanitiser plugin exclusion parameter.
I can't help but think we are really starting to add complexity that
outweighs the alleged benefit.
> 3. False negatives
> This is really the sticking point of a proposal to do this. There is
> no point implementing a regex filter, if hackers can bypass it by
> changing UNION SELECT to UnIoN SeLeCt. There has been lots of work
> done by other people on good hacking detection regex's. I would be
> more than happy to go into more detail. But that would be irrelevant
> if the Joomla Core team are not going to consider adding new security
> features regardless.
The PLT (there has been no such thing as a core team for many years
now) are the people that "approve" features that are submitted (and
most reasonable contributions are accepted nowadays). I say this at
every Joomla Day or event I speak at that you are looking at the
Joomla development team right now (especially when you stand in a
mirror). Your peers are ultimately the people who make or break
contributions, not the PLT.
> I wish it was as simple as blaming a few bad coders, as the lists
> shows it can happen to experienced developers. Even if only a dozen of
> sites run a dodgy component, google will show up exactly who they are.
> And joomla gets a bad reputation with those users, despite Joomla
> itself having nothing to do with it. (they just say "I installed
> Joomla and get hacked every time, Joomla sucks")
I appreciate the intent behind your statement, and understand that
notion that the mud "sticks" despite our best efforts, but I still
maintain this is a "latex barrier" (keeping it G-rated) for
fundamentally fertile code problems. Ok, let's imagine we do get a
"fire wall" solution that everyone agrees on. That cannot be the only
thing we do to enhance security and should be just one part of a wider
strategy that **must** include developer education as the first line
of defense. It should also include a review of automated test
resources that could be used freely by developers and/or added to the
JED (something like an automated report card), and also a review of
how we can make alerting web masters about urgent upgrades quicker.
Personally I'd start with the IP range blocker part and get that rock
solid before adding any trip wires.
> What is your opinion on a JCrypt class Andrew?
We need it. Raise it on the Joomla Platform list - there are already
people working on it.
> Of course I am picking the worst time to bring this up again, as the
> boat has departed for new features in Joomla 2.5 and time is required
> by everybody to ensure a smooth release.
It's never too late for the Plaftorm because we are on a shorter
release cycle, which some of this work would cover. I'll just warn
you now, get up to speed with PHP Unit and PHP Code Sniffer first. We
are unashamedly pedantic about our code quality :) Maybe we should
make it a requirement that every developer that wants to list on the
JED must have already submitted at least 500 lines to the platform,
because then we then know they've been through the code-quality
wringer :)
I have tried at least 20 times to be removed from this group. Would someone remove me from the group manually?
While I know you were facetious about this, I would love to see Unit/Sniffer
compliance as one of several requirements for a JED 'Certified' rating! One
can dream.
----- Original Message -----
From: "Andrew Eddie" <mamb...@gmail.com>
To: <joomla-...@googlegroups.com>
Sent: Saturday, December 17, 2011 3:36 AM
Subject: Re: [jcms] Salted MD5 login to prevent sniffing in non https
There has been some great work done on a "joomla version check on
admin login" to highlight to a user that they should upgrade Joomla.
The same can be done to notify users of vulnerable components, as the
JED already has an entry in the "joomla core update" table. Once a
vulnerability is known, it can be added to this JED XML and
administrator of that site will then receive alert/email about the
vulnerability through the Joomla backend. This will minimise the
impact of vulnerabilities by alerting users fast.
Since your brought up a medical comparison and I am a Doctor by day
(geek at night), I will also make a medical comparison. When an
overweight type II diabetic person comes to see me for treatment,
loosing weight will likely cure the diabetes (yes I have seen this
happen many times) and is the ideal solution. If I send the patient
home with the message "loose weight and you will not have a problem",
likely the next time we will see him is when his vision is affected,
had a heart attack or his kidneys have been damaged. The same goes for
your suggestion of only using SSL to prevent plaintext passwords
transmission. Its the ideal solution, but 99% of people will not
implement it and the next time we will hear from them is when their
site is hacked.
Implementing plain password transmission for non-SSL users would not
be a half baked solution, but a realistic basic protection for the 99%
of Joomla (millions of them) sites that do not have SSL. I don't agree
that this would induce complacency and therefore stop people
implementing SSL, as people that care about security will implement
SSL regardless. Also many people are unable to install SSL for many
reasons. Therefore the advice "SSL or no password protection" would
equal saying to a patient "Yes you can't loose weight easily because
you can't exercise with your bad knee, but I am not going to give you
diabetic medications as this is not perfect".
http://docs.joomla.org/Potential_backward_compatibility_issues_in_Joomla_1.7_and_Joomla_Platform_11.2
I did not bring up the backward compatibility issue as a negative
comment. I rather have 99% compatibility (see above link for minor
incompatibilies between 1.6/1.7) and advancement of the core. Than 80%
compatibility with every 3 year release and slower progression. I
brought this up to highlight that current developers for Joomla 1.7
and later are involved due to the advancement of the Joomla core.
OK I also managed to find the previous proposed solution that hashes
the Joomla password that requires no updates of the Joomla database at
all. This would avoid users having to reset their passwords:
http://groups.google.com/group/joomla-dev-general/msg/f91741e9406035dc
(lots more discussion on Joomla security on that thread when I offered
to create some new Joomla 1.7 features back in February).
With regards to brute force password protection suggestion, there is
already a basic patch on the Joomla tracker (created by someone else).
But that had the problem of being easily bypassed. A new Joomla table
would likely be required for such a solution and IP based blocks can
also be bypassed by attackers (either spoofed or these bot nets have
access to thousands of IPs).
Better screening of code from JED components would be nice, but
sniffers would not work and the poor JED staff are already working
extremely hard and would not likely have time to properly implement
code screening.
Thanks again for everybodies input, hope I did not offend anybody with
this post. Thanks Marius
On Monday, 19 December 2011 at 06:06, Marius van Rijnsoever wrote:
However since a "compromise solution" of a firewall to prevent attacksseems unlikely to be implemented we should then focus on minimisingthe impact of vulnerabilities.
There has been some great work done on a "joomla version check onadmin login" to highlight to a user that they should upgrade Joomla.The same can be done to notify users of vulnerable components, as theJED already has an entry in the "joomla core update" table. Once avulnerability is known, it can be added to this JED XML andadministrator of that site will then receive alert/email about thevulnerability through the Joomla backend. This will minimise theimpact of vulnerabilities by alerting users fast.
Implementing plain password transmission for non-SSL users would notbe a half baked solution, but a realistic basic protection for the 99%of Joomla (millions of them) sites that do not have SSL. I don't agreethat this would induce complacency and therefore stop peopleimplementing SSL, as people that care about security will implementSSL regardless. Also many people are unable to install SSL for manyreasons. Therefore the advice "SSL or no password protection" wouldequal saying to a patient "Yes you can't loose weight easily becauseyou can't exercise with your bad knee, but I am not going to give youdiabetic medications as this is not perfect".
OK I also managed to find the previous proposed solution that hashesthe Joomla password that requires no updates of the Joomla database atall. This would avoid users having to reset their passwords:(lots more discussion on Joomla security on that thread when I offeredto create some new Joomla 1.7 features back in February).
Better screening of code from JED components would be nice, butsniffers would not work and the poor JED staff are already workingextremely hard and would not likely have time to properly implementcode screening.
^^^ What he said. We have lots of "sniffers" already working
extremely well on the platform doing some pretty crazy things with
automated code review. Nothing is impossible.
There are also ways around the JED staffing issues - but for the sake
of this argument, just imagine there is no barrier to resource the
coding of sniffers and enough people to maintain the volume of work to
support automated (just as you are assuming there are enough people on
the JBS to handle the incoming glitches of an on-the-fly solution).
What I find interesting is that on one hand you say "people will never
follow instructions" and on the other hand believe that they will
follow your security advice about SSL.
Yes I do give life saving drugs to patient even if they contribute to
the issue themselves (you would not expect me to do otherwise huh?),
while educating them how to improve their health! I even give drugs to
people that will unfortunately will prove fatal for some. I deal with
very complicated risk assessments on a daily basis and if I screw up,
someone can die because of my decision. For instance when I prescribe
warferin (rat poison) to someone with a stroke risk, I will cause a
possible fatal brain bleed in 1-in-300 patients, but prevent strokes
1-in-25 patients and prevented death in 1-in-40 patients. The overall
benefit far outweighs the risk.
Lets do a risk benefit analysis for implementing a method to prevent
plaintext password transmission. There are at least 1,651,338 Joomla
websites on the web (http://trends.builtwith.com/cms/Joomla!). My
guess is that 99% of Joomla installations do not run SSL (none of the
top 10 websites do http://trends.builtwith.com/topsites/Joomla! and
even joomla.org does not run SSL). Therefore there are at least
1,634,824 joomla websites that transmit plaintext passwords across the
internet. That means that Joomla is indirectly responsible for tens-
if not hundreds-of- millions of plain passwords being transmitted
through the internet every day. Therefore there is clearly a large
impact we as Joomla developers can have on fixing this.
Your main concern is the "risk" that people will not implement SSL if
some basic protection is added to the login form. First point to make
is that currently people do rarely use SSL (see above). Second like
you pointed out, people will ignore instructions anyway (including
advice to use SSL). People that do implement SSL won't stop doing this
because of a login form password encryption. Therefore the risk of
causing harm by implementing this feature (by making people
complacent) is very low.
The next point of discussion would then be the actual impact of an
added security feature (no point giving someone a pill if it does not
do anything). Like you pointed out without SSL it would still be
possible to hijack the cookie/session. Lets take a real life scenario:
Editor of a joomla site gets a cup of coffee from a local shop and
quickly checks his website through an unsecured wifi connection.
1: No SSL, No plain password connection
Hacker gets plain password. Creates itself a new administrator
back-end session, get access to file system and does lots of damage.
Then because most people share passwords between sites, the editors
email gets hacked and the hacker gets some more passwords from his
email account.
2: No SSL, Password is encrypted
Hacker gets access to the front-end session and defaces the website
with lots of hacker messages. Administrator sees this takes the
website offline. Hacker can't repeat the attack as the session will
then have expired.
3. Webmaster has installed SSL
No problems what so ever as password and session cookies are
protected. Yum, editor finished coffee and everybody is happy :)
Option 3 definitely preferred. But there is a huge difference in
damage between option 1 and 2. Also to consider in this equation is
the end-users of each individual sites. Their plaintext passwords are
exposed because of millions of Joomla websites without SSL (not just
an issue that affects the webmasters) and can compromise their other
accounts..
Lastly to consider is the costs of the implementation. It is 100%
backward compatible, some extra javascipt and processing required at
the browsers end. However login will still work when javascript is
disabled (but password won;t be encrypted), Also to consider is the
positive effect of having a JCrypt library in Joomla and a working
example that developers can see. This will allow Joomla developers to
have 128 bit encryption available even if the site does not have SSL.
Just to summarise. Plaintext password transmission on Joomla site are
extremely common, accounts for millions of plaintext passwords being
transmitted every day and a solution is simple to implement without
any costs, but does not protect for the separate issue of session
hijacks. If you ask me this is as good as a risk-benefit assessment as
you can get, But maybe people other than yourself and me can comment
on this?
With regards to notifying users of vulnerable extensions, I never said
anything about blocking and disabling extensions automatically.
Extensions are already "named and shamed" through google and there is
a list on the joomla.org website that lists. Identification of
components can be done very accurately as there are more identifiers
that "com_example". I FULLY agree with you that extreme caution must
be taken with the approach and implentation, but this can be managed
very well and has the potential to prevent a large amount of Joomla
hacks.
Thanks, Marius
On Monday, 19 December 2011 at 14:50, brian teeman wrote:
Just to point out that the majority of joomla sites (and as you brought up numbers thats what matters) are running on shared hosts and the majority of shared hosts do not have the ability for you to run a domain specific ssl. If every web site in the world that required a login used ssl and joomla sites did not then this would be a bad omission by joomla. But that's not the case. Feel free to recommend that people install ssl certificates etc but this is definitely not something that should be forced upon them by joomla itself as that would prevent the majority of users from installing joomla.
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/UJ-NoyGUHx4J.
Yes Herman your solution works as well, that why I had to post a link
to your previous post.
I do not have a personal preference on the method of adding basic
protection to passwords (either encryption or hashing) and will rely
on the Joomla core developers to make up their mind on what solution
is good enough for the core. But with 10,000,000's of Joomla plaintext
passwords going through the internet each day (which are easy to
intercept like Herman mentioned), we have a moral obligation to
improve on the current situation.
Thanks, Marius
What did I tell you about looking in the mirror for the Joomla core
developers? ;) Seriously though, I think the best way forward is to
break this whole conversation into parts. Cryptography and SQLi are
completely different fish so I think it's best to separate them.
Marius, I suggest you start a thread on the platform list about crypt
support in both PHP and JavaScript sides of the platform. I know
Louis is tinkering with a new PHP crypt package. Rouven would
probably be interested in the Javscript side. Once there is a rock
solid API it's then it simply becomes a matter of implementation.
That's where I'd start anyway.
Thank you,
Eng. Gabriele Pongelli.
A big advantage of client-side hashing of the password is also, that no administrator of a site can intercept the plain-text password. At the moment, anyone who has rights enough to install extensions on the administrator-side can easily see all passwords during the login (just make an authentication-plugin e.g.). As mentioned before: a lot of people use the same password for different sites. Such a passwords sniffing can be done by someone who breaks into a site, but a site could also easily be created specially for this purpose... And SSL doesn't help anything against exploits like this (the contrary: a certificate would make the site more trustworthy. But you still don't know what could be done with your "bare" password server-side). If I know my password is hashed before sending, then the risk of it being intercepted server-side is more of the theoretical kind.
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/yo1NvmCizAEJ.
Sending emails with cleartext password is so unfrofessional please just remove almost this feature and replace it with a reset link (no mainstream website still sends cleartext password via mail this is a privacy and security issue)
Is this feature useful? i don't think.
javascript is disabled on 10% of user browsers? i don't think in the facebook and html5 era.
Best regards,
Stefano
When I wrote the code, I had the administrator-backend in mind: it is not useful to login there without JS. I suspect, that the 10% non-JS is more a figure for visitors in general (including all kinds of bots) then people who need to login. I don't need customers without JS and neither do my customers. More: read the posting from Niels referred to above: he also gives an option how to handle when no JS is available. You can use the next authentication in the plugin-cascade.
Why is the password in the db hashed? Because if someone would get those data (s)he could easily retrieve the password. BUT: if someone can sniff around in your db, is it not probable that (s)he could then also install things on your site? As you say: then they can do anything they want. Ergo: the whole hashing of the passwords is a bit of a fake security. You must first of all avoid that someone who is not allowed to get those data, would ever get them.Still I think hashing the password in the db can add a little bit to security. And along the same line of thinking I think the hashing of passwords over the line can add even more to security, I think.
When I was studying the authentication-methods in various webservices, it was very obvious and general accepted that a plain-password login (or equivalent to that like base64 in Basic authentication) should never be done on a public available network without SSL. That is why Digest authentication etc. was invented. When I learned about those CMSs throwing around passwords in plain text I first couldn't believe it. This is not some theoretical point, this is a major security issue. You can wait for the disasters to come (or take action).
What is important? Some people think security for Joomla has increased by using other prefixes in the db. I think most Joomla SQL-injection in Joomla-extensions will use the general #_ prefix. Still Nicholas called changing the prefix "one step closer to fending off attacks by potential hackers". Trying to find some good solutions for plain passwords over the line on the other hand by him is called an unrealistic problem which wouldn't need a solution, a waste of our brainpower and a witch hunt. Sorry dear friend, I like you very much and it is nothing personal, but I really think you are not seeing things in the right proportions. But I won't waste my time on arguing in this way anymore. Let's code something useful. If you don't want to use that: don't.
Ever used WireShark on a barcamp? I demonstrated the issue lately by
excluding half a dozen Joomla admins from their sites. No efford, every
child (with a laptop) can do this.
> Man in the middle attacks
> require stalking (being on the same network) or advanced techniques
> (DNS poisoning) to succeed. I strongly doubt that anyone would go
> through all that trouble unless he's a security researcher or expects
> to make tons of cash. Regarding the latter person, he'd only attack
> high value targets. If someone has such a site and is not already
> using SSL he's a bloody moron, fair and square.
Unfortunately, SSL is not always an option. Joomla targets at
installation on cheep shared hosts.
> I would also like to point out two assumptions you made: SQLi attacks
> using #__ are far more common than those using jos_. This is contrary
> to every single log file I've seen from real world sites. Man in the
> middle attacks are at least as common as other hacking methods
> (otherwise I would be right in saying it is an unrealistic attack).
> Again, experience shows the exact opposite.
That was just a side step example to understand your focus. The issue is
using plain text passwords in daily business.
> Finally, I will tell AGAIN that even if you'd like to ignore all of
> my points and I were just a bitching schmuck, you still have one
> MAJOR problem in including something like that in Joomla!:
> cryptography laws.
Honestly, I don't believe that password hashing using md5 can be
illegal. If it were, SSL were illegal as well.
> Everybody seems to be oblivious to the fact that
> this would make Joomla! illegal in many countries all over the world.
> People, that's a MAJOR concern and none of you even gave it half a
> sentence in your replies.
Its just because it can't be true - at least in the context of password
hashing.
Regards,
Niels
--
| http://barcamp-wk.de · 1. Barcamp Westküste 2./3. März 2012 |
| http://www.bsds.de · BSDS Braczek Software- und DatenSysteme |
| Webdesign · Webhosting · e-Commerce · Joomla! Content Management |
------------------------------------------------------------------
Ever used WireShark on a barcamp? I demonstrated the issue lately byexcluding half a dozen Joomla admins from their sites. No efford, everychild (with a laptop) can do this.
Unfortunately, SSL is not always an option. Joomla targets atinstallation on cheep shared hosts.
That was just a side step example to understand your focus. The issue isusing plain text passwords in daily business.
Honestly, I don't believe that password hashing using md5 can beillegal. If it were, SSL were illegal as well.
Its just because it can't be true - at least in the context of passwordhashing.
Regarding the legal issues: Simply looking at wikipedia
(http://en.wikipedia.org/wiki/Cryptography) will show you a range of
countries that have serious restrictions: China, Belarus, Kazakhstan,
Mongolia, Pakistan, Singapore, Tunisia and Vietnam. That makes at least
1.5 billion people, about a fifth of the earth population. And that is
just a quick check. So every fifth person on this planet does not have
unrestricted access to cryptography and you can bet your ass that
countries like China or North Korea have their thumb on every and any
crypto software out there.
Hannes
Am 21.12.2011 20:11, schrieb Nicholas K. Dionysopoulos:
> Oh, boy� I'm under the impression that several people on this list are
> /may/ be legal in most jurisdictions. The server sends the encryption
> key over an unencrypted connection. A JS implementation takes the
> user's password, encrypts it (you can add salt if you want to), then
> sends it to the server, complete with the username. If I were said kid
> with a WireShark-enabled laptop I now know:
> - Your site's URL
> - Your username
> - The encrypted password
> - The encryption key
> Apply encryption key to encrypted password, get unencrypted password,
> pwned your site. Attacker vs half-baked solutions: 2-0.
>
> Let's up the ante. Asymmetric (public key) cryptography. Now /that/
> solution would be the use of TAN, iTAN or �better yet� mTAN
> <http://en.wikipedia.org/wiki/Transaction_authentication_number>.
> Especially in the latter case, the transmission of the TAN is done
> over a different communication medium, making it very hard to fake a
> login. However, it's damn hard and expensive to implement, especially
> on the shared sites. Another good approach would be transmitting a
> short-lived (1-2 minutes) TAN over email, assuming that the email is
> accessed over a secure connection (GMail maybe) and the attacker does
> not perform a real-time MITM attack between the site's mail server and
> the recipient's mail server.
>
> Can we now stop the time wasting on this stupid witch hunt and deal
> with real issues? kthxbye
>
I see a real problem. Most of it is still in it's infancy, because the large scale use of public Wifi is not so old yet. Once the script kiddies (and serious hackers) are on this it will be a huge problem, I think. I want to put some energy in avoiding that (solid, using simple MD5). Not in rethorica. It is clear that for Nicholas there is no problem to be solved here, so thank you and goodbye; don't waste your energy on it then.
This was a special year in The Netherlands: most of the certificates that were used by any governmental body in our country were compromised! If anyone had pointed out last year that it was possible, the answer would probably have been the same as yours. But now there was a real problem....
Let's up the ante. Asymmetric (public key) cryptography. Now that would be secure. Sorry, I lied. It would be half-secure. It would absolutely make it impossible for said laptop-wrangling kid to fetch your password. Yet, he's using WireShark. Man! It's pure awesomeness! Steal your cookie, deface your site for the lulz, walk out of the barcamp/whatever. Woot!
Even as such, Houston, we have a problem here. Most jurisdictions consider the dissemination of source code for PK cryptography to be illegal and, in fact, punishable with pretty much the same severity as trafficking weapons. This would mean that we either can not include it in Joomla! or we'd have to compile (encrypt it) with something like Zend Guard (ideally by a guy in a cryptographically neutral country). But that solution also has some issues, as this would violate Joomla!'s own license.
Regarding the legal issues: Simply looking at wikipedia(http://en.wikipedia.org/wiki/Cryptography) will show you a range ofcountries that have serious restrictions: China, Belarus, Kazakhstan,Mongolia, Pakistan, Singapore, Tunisia and Vietnam. That makes at least1.5 billion people, about a fifth of the earth population. And that isjust a quick check. So every fifth person on this planet does not haveunrestricted access to cryptography and you can bet your ass thatcountries like China or North Korea have their thumb on every and anycrypto software out there.
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/16NL5sK7qEgJ.
> Oh, boy… I'm under the impression that several people on this list
> are very happy to find the tree and miss the forest.
Well, timbering is done one tree after another.
> Or, at least, type before they think things through.
Do you want to attack me personally? I don't hope so -
> Here we go, and this time
> please pay attention to what I'm writing.
I did, and I do.
>> Ever used WireShark on a barcamp? I demonstrated the issue lately
>> by excluding half a dozen Joomla admins from their sites. No
>> efford, every child (with a laptop) can do this.
>
> Of course I have. You too. Herman too. A lot of us did. It's fun!
> We're geeks! We are the researcher guys. The thing is, have you seen
> any serious hacker walking around with his laptop like that and
> attacking random targets?
No, but I also never saw people being shot or an asteroid impact. And I
*know*, at least the latter two happen from time to time.
> Put in another way: Buying a weapon is very easy in the US. Walking
> into a crowded bar and killing random people is very easy. But is it
> common? Nah, not even in the ghettos, where you might be accidentally
> killed for no reason by some gangster going through his initiation
> ritual. Would you suggest that all buildings should install metal
> detector gates, or X-ray machines and armed security guards?
That is the common solution. One example:
"Long-term protective measures should include physical enhancements to
school buildings. Among the measures schools should consider are the
following:
• Install secure locks for all external and internal doors and windows.
• Install window and external door protections with quick-release
capability.
• Consider establishing a safe area (or safe areas) within the school
for assembly and shelter during emergencies.
• Apply protective coating on windows in facilities that face traffic.
That and other helpful information on school facilities can be found at
www.edfacilities.org/." (UNITED STATES DEPARTMENT OF EDUCATION, 2004)
> Obviously, the high security buildings do have those things and they
> do have those things because they are coveted targets. Same goes with
> sites. Joe Nobody's blog is unlikely to be deliberately targeted by a
> hacker who would go into all of this trouble. Even if said hacker ran
> accidentally into Joe's login information, he'd hardly bother.
Gaining access to Joe Nobody's webspace means getting another cheap spam
relay.
> Just
> because it's possible, it doesn't mean it's probable. Possible means
> that the probability is greater than zero. An asteroid hitting Earth
> and killing all of us is possible (and there are many asteroids which
> could do that). Probable means that the probability is adequately
> high as to worry us. I don't know about you, but I don't wake up
> every morning shaking out of fear that the next minute an asteroid
> will squash me like a cockroach. Just sayin'...
Well, a lot of money is spent on this issue, so I don't have to take
care of it.
http://en.wikipedia.org/wiki/Asteroid-impact_avoidance
>> Unfortunately, SSL is not always an option. Joomla targets at
>> installation on cheep shared hosts.
> The kind of sites that nobody will ever bother cracking because they
> are USELESS.
Sorry, but that is bullshit. Of course these sites are under attack -
constantly. Bot nets are eger to get hands on them to distribute their
spam and malware.
> The only people who might attack those sites are script
> kiddies so that they can boast to their buddies that they're "133t
> h4x0r5". But, yeah, let's assume that you want to protect those sites
> from a completely improbable (=unrealistic) attack.
If that was true, we wouldn't see any "My site got hacked" message on
the forums. Indeed, we see a lot of them.
>> That was just a side step example to understand your focus. The
>> issue is using plain text passwords in daily business.
> Ah, a nice interlude to your arguments. I suppose I could also refer
> to something completely unrelated to your point, imply that it's
> related to what I'm going to say next and you'd happily ignore it and
> go on reading my post, unbiased.
You are constantly getting back to encryption. I never proposed a
solution using encryption. So I 'm forced to believe, that you either
did not read my proposal or did not understand it (I daon't believe the
latter, because I know you).
> OK, I'll give it a go: "It was
> raining yesterday. Yet you say that this kind of attack is common.
> Sorry, but I disagree". Oh, look, a verbal firework!
You're getting offending again...
>> Honestly, I don't believe that password hashing using md5 can be
>> illegal. If it were, SSL were illegal as well.
> No, MD5 is not illegal, but it's a totally stupid idea to implement,
> if your goal is to even marginally increase the security of the site.
It is not. Read my proposed solution.
> Here's why. Let's assume the way Joomla! is currently storing the
> password. Joomla! sends the salt to the browser. A JS implementation
> of MD5 takes the user's password, appends the salt and produces the
> MD5 hash, then sends it to the server, unencrypted, complete with the
> username. If I were said kid with a WireShark-enabled laptop I now
> know: - Your site's URL - Your username - Your salted password
> Therefore, I can login to your back-end.
You can't because of the session token, which is used to salt the
password hash. So you don't get the salted password as it is stored in
the database. And the combination of url-username-hash is only useable
within the exactly same session.
> Your site is pwned and I'm
> 133t h4x0r5. Apparently, this solution added no security whatsoever
> and is as meaningful as digging your backyard in hopes of finding a
> gold streak. Attacker vs half-baked solutions: 1-0.
Only because you're completely ignoring the proposed solution. The
efford for an attacker to get access is significantly higher, so it
definitely is *not* a half baked solution. It is the best you can get
without SSL.
> Next implementation. Using a symmetric encryption algorithm [...]
I'm totally unimpressed of your constructs, which are made to fail and
support your attitude. My proposal works.
> Even as such, Houston, we have a problem here. Most jurisdictions
> consider the dissemination of source code for PK cryptography to be
> illegal and, in fact, punishable with pretty much the same severity
> as trafficking weapons.
My solution does not use any encryption, and md5 hashing is already used
to store passwords. So no harm here.
> Therefore, the attacker beats the half-baked solutions with a
> staggering 3-0. What an one-sided match, ladies and gentlement!
Just because of your bias, which I - honestly - can't understand,
although I tried.
> Or, we could use SSL if we care so much. What could the attacker do?
Of course SSL is the better solution - but we already constated that it
is not always possible to use it.
>> Its just because it can't be true - at least in the context of
>> password hashing.
> Very true, as far as the legality goes.
Nothing more to say about that. No legal issues.
> But you were trying to
> increase security and hashing really doesn't. Unless, of course, you
> store the password unencrypted in the database and create a random,
> one-time salt per login.
Again: Read my proposed solution. It uses one-time salt together with
hashed passwords from the database.
> Right now, with the use of salted MD5 sums, an attacker would have a
> hard time cracking all but the easiest of password (but, then again,
> easy password can be hacked easily no matter how strong your hashing
> method is, see my earlier replies from a few days ago).
Exactly. There is nothing like absolute security. *Any* hurden can be
taken. But it is our obligation to make it as expensive as possible.
*That* shows our responsibility.
> You can continue proposing workarounds and more half-baked solutions,
Read my proposed solution. It works.
> Can we now stop the time wasting on this stupid witch hunt and deal
> with real issues?
Discussing a solution for this issue (you see, I don't say "problem") is
not waste of time. Being forced to defend oneself against your
non-constructive and subjective attacks is. I'm a bit of disappointed,
because I know you as a smart and friendly guy.
Stefano,You'd be surprised! Depending on your site's niche, it is possible that the majority of your users have IE6 with JavaScript turned off (enterprise visitors). Also, many people DO have JS enabled for FaceBook, but turned off for every other site. You've heard about the Firefox plugin called NoScript, right? Many people do use it. If you ask them to turn on Javascript so that they can log in in order to leave a comment on an article, subscribe to your site or something like that, the chances are these people will simply navigate away to another site. Oh, BTW, the 10% is not a random figure; it's a rounded value of what I observe on my sites (8.5-9.6%). Anyway, don't assume anything about the capabilities of the visitor's browser.
Regarding the emails, as of Joomla! 1.6 you can simply override the language strings of the emails to not include the password. But, no, it's not unprofessional, unless you assume that thousands upon thousands of non-Joomla! websites doing the same thing are all unprofessional.
Stefano,
If I took bots into account, the difference would be close to 20%. Thank you, I am not an idiot. Google Analytics is using Javascript to analyse your site because most visitors will have JS turned on and it's the only way to fetch all the information they need without having access to your server.
<noscript><a href="http://www.histats.com" target="_blank"><img src="http://sstatic1.histats.com/0.gif?xxxxx&101" alt="contatore free" border="0"></a></noscript>
<script type="text/javascript">document.write(unescape("%3Cscript src=%27http://s10.histats.com/js15.js%27 type=%27text/javascript%27%3E%3C/script%3E"));</script>
<a href="http://www.histats.com" target="_blank" title="contatore free" ><script type="text/javascript" >
try {Histats.start(1,xxxxxx,4,0,0,0,"");
Histats.track_hits();} catch(err){};
</script></a>
Also just because you, me and pretty much everyone reading this wishes that all users would magically switch to a modern HTML 5-capable browser with Javascript enabled it does not mean that it is feasible. If you read my reply to the browser support thread, you have a good idea why.Regarding the email being sent out, I don't like that feature either. But some sites do that and some of them belong to multi-billion-dollar corporations:- iStockPhoto- SourceForge- Mandriva Linux- Freehostia- Secure Tunnel (they sell SSH tunnelling access!)- RocketTheme- All phpBB3-based forums- Sony Ericsson- WordPress.com
I could go on, but I am too bored to go through my entire list of sites I have registered to.
And this the last email I'm sending on this list. I've wasted 3 hours of my life today debating with people who don't read and don't think. I've got much better uses of my time. So long.
Bottom line: base PHP and JS crypt API would be useful generically
useful to the platform for purposes that include, but are by no means
exclusively limited to login scenarios. When done, everyone can
choose how to, or not to use them for their own particular cases.
Fair?
Regards,
Andrew Eddie
http://learn.theartofjoomla.com - training videos for Joomla 1.7 developers
The list of "illegal" softwares that handle SSL type encryption is
very long. IE, Firefox, chrome safari, outlook, PHP, apache, all linux
distributions, etc, etc (i can list a few more dozens if you wish).
Hundreds of common softwares handle public-private key encryption and
have managed to be distributed in a legal manner. That does not mean
that there are very complex legal issues with encryption and the many
different countries that have different standards. But these complex
issues are managed by the experts and since we have lawyers working
for Joomla we should get their professional opinion. However the
"dooms day" scenario that Joomla will be come illegal in many
countries is wrong. It just needs to be implemented with planning.
Stefano, storing unsalted md5 hashes is the backend database is not an
option, as due to rainbow tables nobody should store unsalted
passwords.
>Anyway Nicholas you are right with the cookie hijacking point, but i talked about this issue at start of this thread also. I know this
> problem, and i proposed also to add a check for the user IP in JSession class (So to hijack session you should be able to take
>the user IP, and this is not so easy like it sounds, and not so "untraceable" like a sniffing)
Search this list for "IP blocking" and you will find that this is
impossible to implement and has been discussed before. The problem is
that many people have rotating IP addresses (all AOL users for
instance) who would randomly loose their Joomla sessions. In addition
many people share IP addresses behind proxies and IP addresses can be
falsified. Although the thought of IP validation of sessions is
appealing, it is not possible in practise.
I had some more thoughts on a system that can handle encryption of any
data (not just passwords) and is as simple as modifying the form
submit button. And is just as Andrew suggested in his last posy. I
will create a separate thread with my detailed plan on the platform
list, as the current topic is exploding a bit.
Thanks, Marius
Exactly the reason why there should not be a limit on password length. Any
site that imposes one, IMO, is suspect. Passwords should always be hashed
and, therefore, password length is irrelevant.
On the general matter of client-side hashing, I agree that this would be
an excellent step. Regardless of other server-side security
considerations, *as a user*, all I care about is that providing a password
isn't opening me up to all sorts of potential problems. Currently, when I
sign up to a site, I have no idea whether someone at the other end is
recording my login details, selling them on, or storing them for later
use.
Of course, one personal solution would be to use a different password for
every single site I ever register with. That's completely unrealistic,
though, given that I probably have accounts on hundreds of sites. And any
software-based solution (some kind of keychain-type affair) for managing
passwords is not ideal because it's not available everywhere.
So, as a user, I need to be sure that no-one will ever see the password I
type in. Hashing the password in my browser is the only way to achieve
this, as far as I can tell, and this also requires browsers to report that
this is taking place. But a common approach by sites would be a nice
start.
As others have pointed out, even *with* SSL, this would still add a layer
of extra security.
Maybe it would be good to start an Joomla authentication group and
they could try to come up with some concrete proposals on moving
forward?
Thanks. Mark
> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To view this discussion on the web, visit
> https://groups.google.com/d/msg/joomla-dev-cms/-/gp4RrrJA29kJ.
One small step from Louis, one giant leap for joomla.
Awesome thanks for the update.
Sent from my galaxy S2
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/2wL6d6EnOUoJ.
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/2wL6d6EnOUoJ.
To post to this group, send an email to joomla-...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cm...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
Change host.
Regards,
Andrew Eddie
http://learn.theartofjoomla.com - training videos for Joomla developers
I would expect that the CMS would keep JSimpleCrypt in its libraries after it leaves the platform if there seems to be enough need for it. It has worked well enough for most people for all these years and it can continue to.
> Then why would Andrew agree that the package would be useless without mcrypt?
I'd guess because without mcrypt you gain nothing over JSimpleCrypt, but I can't look into his head. ;) From the pull requests description:
"It should be noted that besides the weak encryption carried over from JSimpleCrypt all of the other ciphers use the PHP mcrypt extension for cryptography." https://github.com/joomla/joomla-platform/pull/909
Rouven
Regards,
Andrew Eddie
http://learn.theartofjoomla.com - training videos for Joomla developers
> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To view this discussion on the web, visit
> https://groups.google.com/d/msg/joomla-dev-cms/-/xbsz2IP8r9gJ.