brian.teeman.net - Latest Comments in Can you trust your joomla extensions? | Extensions - brian.teeman.net

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Buca Bay — Fri, 11 Dec 2009 10:42:12 -0000

How about full blow package management. Not just the integrity checks - package discovery, dependency management etc. I think AndrewEddie is right, we can't rely on Joomla do to everything. If someone puts up a Saas and it proves beneficial maybe the JED will put up their own in time. Either way it's a win win. I don't know of any other CMS with full blown package management. I've always wanted the discovery option. It could also be decentralized, only the top level (discovery) list being central.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

karban — Mon, 30 Nov 2009 05:20:09 -0000

Interesting article, however I can add a different twist - ...... What if the JED doesn't remove an extension that's either directly infected or from a website that's infected? - Couldn't happen you say??? Not the JED putting you all at risk you say??? Never ever happen??? - Oh yes it can!! .....About 10 days ago, after clicking on a download link listed in the JED my AV immediately alerted me to a virus (worm). I tried alerting other users via posting a review (as being a newbie I didn't know where else to alert people & didn't know that was "disallowed" to report it in the reviews...... after being (sternly) corrected by JED staff/email , I again wrote to them about it for the second time, this time doing by the method they had instructed ............after which they sent me another reply saying they'd look into it etc)- to cut a long story short, it has been at least 10 days & the product was still listed on the JED (& the website was still infected) when I checked a week later, & furthermore was still listed (& site was still infected) only a day or so ago (..... I couldn't help myself, had to check it....). And by the way, it's STILL listed as I write (I just checked again...). Yep, I can REALLY see how putting our site's safety completely into the hands of those people at the JED will keep us all safe & sleeping well at night knowing we will be safe from being infected or hacked.....
PS: love the site Brian, by the way.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Ewout Wierda — Fri, 06 Nov 2009 05:35:13 -0000

I am glad to say that when my site was compromised by a trojan on my PC two months ago, the extension downloads were left untouched!

I think the basic suggestion is excellent, in spite of practical complications. It seems to me that all comments point out relevant aspects. Putting these all together one could (should!?) assume the JED to be a well protected and frequently backed up website which could be trusted as a trusted source for extensions listed in the JED. The core functionality as suggested could allow an additional third party source to be specified. This could be used by non-GPL extensions not listed in the JED, and perhaps someone feels like providing the third party service to non-GPL extension developers.

Someone could develop a service checking download checksums at the extension developer's download server, and perhaps someone will. But, amateur developers of free stuff, like me, will often not be prepared to pay for that service. In any case, I do not see why Joomla should wait for that, aside from practical issues such as time and priorities.

I wish the core would have some more tools like this to make security checks. It is a pity that Adam's work remains outside the JED, but it is a great pity that his Diagnostics has not become part of the core. JTS does a lot of good, but surely more can be done. Wouldn't it be a good idea to have the core check after each installation if an extension has all the index.html files in place and jexec do or die lines in php files? If fun things like Squeezebox can be put into libraries, why not some open source third party code checking for file changes? I presume none of the commenters here use a standard .htaccess file, so if the knowledge is there, why shouldn't the one in the installation package be a bit more nifty?

Perhaps in the past, it was valid to think that Joomla is the core on which good developers can build to make good websites with the help of good third party extensions. But now Joomla is successful in good part because it has reached the masses who use their mouse instead of code editors to set up websites. Large numbers means common denominators means user-friendliness if not idiot-proofing.
That is why I just wanted to stop by and say that the suggestion in this article is excellent.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Brian Teeman — Wed, 04 Nov 2009 20:08:03 -0000

I think it is fairly safe to assume that a well respected extension developer "should" be a trusted source but as we have seen that is not always the case. Heck even Red Hat had their trusted server and its downloads "adjusted".

I dont agree that its too late if this happens as until the extension is unzipped and installed nothing is executed. Hence the checks I propose take place before the archive is unzipped.

Preventiative action should be first on the list, no argument there, but right now they dont exist. Perhaps my solution is a band-aid but I believe it would work.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

AndrewEddie — Wed, 04 Nov 2009 16:32:09 -0000

I think Emir hits another part of the equation on the head. The download server needs to be a "trusted" source as much as possible. Treat the disease as well as the symptoms. It's actually too late if the downloader is the first to know about a breach, and not the downloadee. This would need to be a holistic strategy providing coverage over many points of failure.

Automatically generated real-time (note: not cached) check sums (or other metadata) are actually a good thing because a service can monitor those and alert the developer the instance something changes (could be easily incorporated into any of the popular heart-beat monitoring services). Preventative action should be first on the list. Checks at download/install time should be the last line of defense.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Vince Wooll — Wed, 04 Nov 2009 10:07:29 -0000

The hacker then would need to not only compromise the server that the download is hosted on, but also use some social engineering to gain your JED login. Whilst theoretically that's possible, I think that it's unlikely.

At the end of the day, no scheme put into play would ever be perfect, all we can do is look at ways to minimise the risk.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Saka — Wed, 04 Nov 2009 10:01:43 -0000

In that case same applies to JED: if a hacker was able to acquire your account details for JED they could modify the md5sums there as well. The point is that the hacker should not be able to hack into joomlacode, it should be a trusted source.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Brian Teeman — Wed, 04 Nov 2009 01:30:54 -0000

Didnt say it was a perfect idea ;) it's just an idea thrown out there that people can pick up on if they want to. Agree or disagree.. I don't care but on my blog I get to comment ;)

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

AndrewEddie — Wed, 04 Nov 2009 01:27:15 -0000

Well, for me, I would separate the technical solution from your ideological preference of where and how it should be implemented and by whom. I think enforcing that the JED and the Project must do it exactly the way you want, that inherently stifles the original innovation of the point of your idea. Just let people discuss it, mould it, and see what comes out the other end - it still has lots of polishing to make it to reality. Is that really too much to ask?

Also, if I didn't think it was a big deal, I wouldn't have said anything.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Brian Teeman — Wed, 04 Nov 2009 01:15:19 -0000

For this type of service to work then it has to be universal and the best way to achieve that is to integrate it into the installation manager and into JED.

Whilst Joomla cannot be responsible for a users site being hacked, assuming the follow best practice, it still suffers from the backlash when the site is hacked. For that reason the "project" should be doing as much as is is feasible to mitigate the exposure of its users.

The onus is still on the user and the developer to write secure code and follow best practice but this is one small step the project can take to help.

If you don't think the two publshed cases I referred to in the original post are a big deal and effected only a few users, then think again. I've personally dealt with almost a hundred effected and infected sites as a result of just one of them.

If other projects wanted to adopt something similar they could of course, it's gpl ;)

If I could I would of course submit this concept as a white paper for central discussion

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

AndrewEddie — Wed, 04 Nov 2009 01:06:04 -0000

No, you didn't understand. I see it as a generic service that can be offered to any download case, much like the hacker-safe for Credit Cards (for what they're worth). Download corruption is not unique to Joomla. The revenue "could" be generated by a SaaS provider and they could charge either the Joomla (or Drupal, or Magento, etc) Developer or the end user of using it to check installs, or both (not my concern how it's done); or it could be free.

My point was that the project does not have to hold this up if, and they are at liberty to, disagree that it's a core function they have to provide. I was merely giving you an option that frees you from the shackles of waiting for the project to decide whether they considered it a good idea or not.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Brian Teeman — Wed, 04 Nov 2009 00:54:54 -0000

I attempted to address this here http://brian.teeman.net/ext...

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Brian Teeman — Wed, 04 Nov 2009 00:51:16 -0000

We'll have to disagree on this.

You see it as a revenue generating idea and a service for the extension developer.

I see it as a service for the joomla user and as such it IS a role for the "project".

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Brian Teeman — Wed, 04 Nov 2009 00:49:10 -0000

Unfortunately if you mean joomlacode then there is a flaw in the joomlacode design and the md5sum displayed on joomlacode are automaticaly generated. So if a hacker was able to acquire your account details for joomlacode and modified the extension joomlacode will modify the md5sum. That is one reason why the md5sum and the download should be on different servers.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

AndrewEddie — Tue, 03 Nov 2009 22:41:59 -0000

So, playing with it in my mind. A download is a download is a download - could be Joomla, Drupal, a file in DOCman, whatever. So all you need is a central "service" that registers download metadata and has an API to query. In the case of Joomla installation you just need an event that a plugin can listen for, and it queries the download checker service after uploading. That's a nice SaaS for someone to latch on to :) Revenue can come from the developer side, the user side or both.

All the core [code] has to do is provide an event for a plugin to latch on to (I think they are actually in 1.6 - need to dbl check). The only obstacle then is the willingness for someone to run with the concept (or find someone that has already done - surely there is). I don't see this is something the "project" has to drive because of the broader applications.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Saka — Tue, 03 Nov 2009 20:46:00 -0000

It would make more sense to check against Forge (e.g. the place the extension is hosted) cause in that case the Forge could generate md5sums automatically as user uploads the file, and project names are already unique.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Adam van Dongen — Tue, 03 Nov 2009 17:18:11 -0000

Well, it's a pretty good idea, although there's one problem with storing info in the Extension Directory.

A load of components out there aren't on the Extension directory (none of mine are, and I can't add them because they aren't GPL), so that will not work for those components :)

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

cmsmarket — Tue, 03 Nov 2009 15:29:16 -0000

Back in October, some people from the Joomla team updated their Vulnerable Extensions List. In the process, they renamed it, which means that all pointers to the old still point to a very outdated list (which include Acrobat 7 for some reason).

However, this is both a pretty comprehensive list of reported vulnerabilities from the last 3 months and a good indicator that more needs to be done.

http://docs.joomla.org/Vuln...

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

WebJIVE — Tue, 03 Nov 2009 09:58:45 -0000

Excellent piece, thanks for the blog on this. Is there a page/post somewhere that discusses these hacked mods/components? It would be nice to know what these are so that we can check our installations.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Vince Wooll — Tue, 03 Nov 2009 09:54:53 -0000

Excellent suggestions Brian, food for thought.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Smart-Tactics — Tue, 03 Nov 2009 08:47:25 -0000

This sounds like an excellent suggestion to help make #Joomla a more secure environment.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

chent — Tue, 03 Nov 2009 08:29:18 -0000

I've been waiting for the article. I know you do not care - but I agree with you and your identified solution. The acceptance of Joomla! rises and falls with the safety and we need a completely secure, trusted source for downloads. Right now where Joomla comes of age.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Brian Teeman — Tue, 03 Nov 2009 08:12:59 -0000

I think I addressed this in the comment above http://brian.teeman.net/ext...

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

Brian Teeman — Tue, 03 Nov 2009 08:10:19 -0000

To expand on the workflow slightly it would perhaps be better to offer the user a warning that the extension could not be verified and leaving the option to install up to the user instead of just refusing to install.

That way extensions that are not listed on JED for various known reasons or are private extensions can still use the installer.

Re: Can you trust your joomla extensions? | Extensions - brian.teeman.net

BEDRE reklame — Tue, 03 Nov 2009 08:05:17 -0000

In the case of the JED, a suggestion I must say I like, there are first of all two problems I can think of:

1) The JED needs to store all info on all versions released of all extensions. Which it should in the first case in my opinion, so that it can alert people when extensions need upgrades. Which brings me on to a related topic: The installer in J1.6 A2 seems to contain stuff that suggests someone have thought of this already?

2) Everyone needs to be able to use the JED, not just GPL extensions. It's either that or letting 3rd party directories handle the security checks as well, which kind of defies the point of it all.