Joomla is built by many talented individuals, carefully reviewing every code contribution made to the project to ensure that a secure system is built.

But what would happen if an attacker is able to manipulate the Joomla update server? Or if a successful attack is made against the CDN that Joomla uses for update distribution? Or to ask a more generic question: how can we be sure that an update presented in Joomla backend is actually legitimate?

Supply chain attacks

In the IT world, an attack targeting the update procedure of a software is called “supply chain attack”. And it’s not a theoretical issue, but a real world threat not only for desktop software but also for CMS - and combined with an auto-update mechanism, it can quickly become a nightmare scenario. In 2016, a vulnerability was discovered in the WordPress update server that would have allowed attackers to compromise 27% of the known web at once.

Cryptography to the Rescue

Mitigating a supply chain attack requires that the local software (in this case: our Joomla site) is able to validate that the information about available updates has been published by an authorised entity (so in our case: the Joomla project) and also requires that the integrity of a downloaded update package can be verified.

In order to do so, the software industry uses public/private key cryptography: A developer publishes the update information and signs it using his private key. The local software instance has a copy of the public key stored, allowing it to check that signature. If either the update information or the signature has been changed, the check will fail. And if that update information also includes a hash sum (a “fingerprint” for a file) of the actual update package, the software can also verify that the actual downloaded package is the original file and has not been modified.

Introducing TUF

With Joomla 5.1, such an update verification system has been introduced! It’s based upon “The Update Framework” or just “TUF”, a system developed by the Python community. With TUF, the project is now able to prove the integrity of its update information, making future core updates tamper-proof! Even if attackers are able to access the update server distributing the information about available updates, it’s impossible for them to forge the cryptographic signature that proves that this information has indeed been published by the official project.

TUF solves a wide range of different problems and also allows the project to securely add and remove authorised signing keys in the future. It’s a sustainable solution for the years to come.

And the best part: as a Joomla user you have to do absolutely nothing to make use of the new system! The TUF-based updater will be introduced with Joomla 5.1 for both existing and new sites – so once you have updated to 5.1 or have started a new project with 5.1 or newer, you’ll benefit from tamper-proof core updates automatically.

Setting new standards

Joomla is, as far as we know, the first and so far only PHP-based CMS implementing such a system in its update process. It demonstrates that the project takes its vision statement seriously: developing Open Source Software that is free, secure, and high-quality.

Honour to whom honour is due

Last but not least I want to thank Franciska Eichert, Martina Scholz, Niels Nübel, Stefan Wendhausen, Tobias Zulauf, Magnus Singer, Benjamin Trenkle, Timo Feuerstein, Harald Leithner for their contributions during the development of the feature and all the testers, code reviewers and bug fixers that made it possible to include TUF in the core. It was a challenging project and I very much appreciate the help of every single one of you!