Joomla! Security 101 - Joomla! Day Bosnia and Herzegovina 2013
Joomla! and SSL
-
Upload
yireo -
Category
Technology
-
view
961 -
download
1
description
Transcript of Joomla! and SSL
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! & SSL
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
MyselfCo-founder of Yireo, loving both Joomla! as Magento
Developer of MageBridge, Dynamic404 (+ some more)
Author of Joomla! 1.5 templating book (2009, Dutch only)
Trainings for VMware ESX, HP-UX, Linux (<2007)
Trainings for Tibetan Government in Exile (TCRC)
Cycled from Holland to Spain (2012, 2500+ kms)
Favorite dish Ayam Percik (chicken in coconut-curry, Malay)
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! & SSLPart I - Basics of SSL
Part II - Usage in Joomla!
Part III - Advanced topics
Slides: http://slideshare.net/yireo
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Part IBasics of SSL
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
About HTTPS and SSLHTTPS = HTTP Secure
SSL = Secure Socket Layer
Most common implementation is OpenSSL
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
SSL and encryptionTwo types of encryption
Authentication of server (certificate)
Encryption of traffic (key-exchange)
Factors
Numbers of bits: 128, 256, 512, 1024, 2048
Ciphers: Diffie-Helman (cert), HMAC (TLS), SHA / MD5 (SSL)
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Certificate Authorities (CA)Root CAs = Trusted by your browser
Intermediate CAs = Trusted by Root CAs (used in chain)
Your certificate = Trusted by the commercial CAs
Self-signed certificate = Trusted by no one by you
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
What do you need?SSL-certificate
CommonName (sometimes Chamber-of-Commerce check)
Is valid for 1 or multiple domainnames (wildcard)
Expires after a certain date
Vendors: GeoTrust, GlobalSign, Comodo, Thawte, TrustWave
Dedicated IP-address
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Part IIUsage in Joomla!
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! Global Configuration
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
What about partial SSL?Enforce HTTPS on those pages needed
Enforce non-HTTPS (HTTP) on all other pages
Slight performance gain
Secure pages
Shop (VirtueMart, MageBridge, HikaShop, Tienda)
Contact-form
Forum-pages
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Yireo SSLRedirect plugin
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
SSL in your codeUsing the // protocol-prefix
//domain/path/ (instead of https://domain/path/)
Simply use Joomla! calls
JHTML::stylesheet() / JHTML::script()
$document = JFactory::getDocument()
JRoute::_()
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Part IIIAdvanced Topics
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Getting an official SSL-cert
Generate a private SSL-key + CSR
Use CSR to purchase a new SSL-certificate
Install the new SSL-certificate in your webserver
SSL-key
SSL-certificate
SSL Root CA certificate
SSL chain-certificate (optional) for intermediate CAs
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Getting a self-signed SSL-cert
Generate a private SSL-key and a self-signed SSL-certificate
Install the new SSL-certificate in your webserver
SSL-key
SSL-certificate
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Installing the SSL-cert
Apache
Nginx
Control panels
DirectAdmin
Plesk
CPanel
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
OpenSSL commands
Generate a private SSL-key + CSRopenssl req -out foobar.csr -pubkey -new -keyout foobar.key
Inspect a certificateopenssl x509 -inform pem -in foobar.crt -noout -text
Creating a self-signed certificateopenssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout foobar.key -out foobar.crt
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Common Apache-directives
SSLEngine on
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-rootca.crt
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Chain-workaroundTip: Instead of using seperate files, you can also copy all SSL-certificates to 1 single certificate-file:
Personal SSL-certificate
Intermediate SSL-certificate 1
Intermediate SSL-certificate 2
Intermediate SSL-certificate 3
Root SSL-certificate
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Extended Validation (EV)
Validation of your company by CA
Registry in Chamber of Commerce
Check for financial behaviour (outstanding payments)
Check for legal problems
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Is SSL actually safe?
Hacking of CA-servers
DNS hijacking
Decryption-attacks (SSLstrip, BREACH)
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
TLS: Multiple certs with 1 IPTLS Extension Server Name Indication (SNI)
Apache 2.2.12 >
OpenSSL 0.9.8j
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
About SPDY and HTTP 2.0SPDY
Developed by Google
Does not work without HTTPS (TLS)
Requires additional modules in webserver (Apache, Nginx)
HTTP 2.0
Using SPDY as starting point
Presentation “Joomla! and SSL” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
thanks