Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 
Encryption Configuration

Should you install theĀ Encryption Configuration component?

The answer is simple, if you have your site using SSL then you don't need it. If you are not using SSL then you should install it in your Joomla sites. However, this doesn't guarantee you will be fully protected against Man-In-The-Middle attacks.

What's the risk if you are not using SSL or the Encryption component?

There may be the chance that someone is intercepting all your network traffic. For example somebody on your same local area network may be using Wireshark. In this case the attacker will be able to get to know your password and save it to take administrator priviledges to your site.

So, you have already installed the Encription component. You may be asking: Can I relax now and forget about my password being stolen? Sorry, the answer is still "no". For some time I used to think that it was completly safe, but no. And the reason is web cookies.


How can an attacker still manage to supplant your identity?
Let's say that there is someone eavesdropping your traffic. And let's assume that you have the encryption component installed. Then, you login at your back-end. This time the attacker just get gibberish as your password. As the encryption is made using an asymmetric algorithm it is very hard to break it, one point for you.
All the attacker is left to do is keep listening. Now, you have successfully logged in. By now, Joomla has created a record in the session table of your database, this is how it will know that you are the administrator and you have full access to the back-end.


So, now you click in some of the menu-items, "global configuration" for example. The browser makes a new http request to the server to go to the configuration back-end page. And how does Joomla know that you are still the admin and you don't require to log in again? By using a cookie. Browser and server keep trasmitting cookies for every request and response. And there is a specific cookie saying what is the session id that Joomla has created.
At this point the attacker, who has been reading all your web request, just need to get the value of this cookie. Then she can just set this cookie in her own browser, very easy if she is using Firefox.


At that would be all, this bad guy is now accessing you back-end, and you may not even know it.
This nasty trick has already been tested (at front-end of extensions.joomla.org) and it sadly works.

Resuming, use SSL.