How SSL Can Secure and Add Features to Your Joomla! Site
Joomla! takes security very seriously and is extremely proactive about fixing any issues that may arise. That doesn't mean that there isn't more you can do for your Joomla! website to protect it. Using SSL, you can enable a few features already built-in to Joomla! and protect from some easy exploits that may be taken against your site and users users. Better yet, SSL can be used for other features you may not even know about.
Why you should be using SSL on your website
SSL (or TLS as it’s newer revisions call it) is that little padlock that has appeared on webpages since Netscape 2.0 in 1996. While it’s commonly thought that SSL is only really needed on e-commerce, financial, or other similarly sensitive sites, the truth is that any site can benefit from the added security, including your Joomla! website. You don’t even need extra extensions, there are features built-in to Joomla! that you can take advantage right now to help your users, and especially yourself, be more protected.
But, I don’t have anything special to protect
Yes you do! One of the most valuable things on any website is the username and password for accessing the site. Even if you don’t have users that login to the Front-end of your site, surely, you log into the Administrator area. If you’re not using SSL, others can impersonate you in multiple ways and steal the ‘keys to castle’.
So what’s at risk?
When any user logs into your Joomla! site, their username and password are sent over the internet to your server. That part is obvious. What’s not obvious is that username and password can be intercepted anywhere along the way path from the users browser to a wireless router to the ISP to the server itself. While smaller sites are unlikely to be targeted, it's possible. More likely though, as the use of wireless networks at restaurants and coffee houses is pretty commonplace now, those credentials can be intercepted right out of the air before it even goes on the internet.
What can someone do with credentials from my site?
Well, if you’re an administrator, they can do anything they want. Additionally, for your users, password over-use is an extremely common problem. While you may not think credentials to your site are that valuable, they can be useful if the user for some crazy reason has the same username and password on a major retail site, hosting company, or other higher profile sites.
How can SSL stop this?
It’s amazingly simple, actually. In the Joomla! Login module, there’s a simple setting “Encrypt Login Data”. When you have an SSL certificate on your website, this setting will have the user’s browser encrypt their username and password before it’s sent over the internet to your server. That’s it!
Session Cookies are vulnerable too
With Joomla!, when a user logs into the Front-end or Back-end area of your website, a special session cookie is set in the browser to identify that user. That cookie is transmitted with every page load so that Joomla! knows the user that is viewing the page. That cookie then grants them the priveleges to do what any registered or administrator user can do.
While the cookie is less of a threat as it will eventually expire, it’s still something that may be worth securing, depending on your site. By simply using SSL across your site, that cookie will be encrypted as well. Again, securing this aspect is as easy as changing the “Force SSL” setting in the Joomla! Global Configuration area. Simply set it to “Entire Site” or “Administrator Only”. If you have an SSL certificate, there’s no reason to select “None”, you should at least choose “Administrator Only” which will prevent your Back-end session cookie being taken, preventing access to the whole Administrator section of your site.
Really, is this even possible?
In 2010, a Firefox addon named Firesheep was released which can automatically scan a wireless network to show and use any session cookies for popular sites like Facebook and Google. While there isn’t an easy addon specific to Joomla! sites, the possibility is still there.
The drawbacks to SSL
The biggest drawbacks of SSL are possible cost and performance. Depending on your hosting plan, an SSL certificate may cost anywhere from free to $150 / year. That cost all depends on if your host supplies a ‘free’ shared SSL certificate, lets you install your own from a 3rd party vendor (as low as $10-$20) or force you to buy one from them (up to $150).
Are there other features for SSL?
Yes! The whole reason this article came about was because we received similar questions of “What else is SSL good for?” on our forums. For our Joomla! Facebook integration extension, JFBConnect, SSL is required for Facebook invitations to be sent and for Page Tab integration, to show parts of your website on your Facebook page. Since most sites don’t have SSL, we started presenting multiple reasons that it can beneficial to have an SSL certificate outside of just enhanced Facebook integration.
There’s plenty of other reasons for SSL that you probably weren’t aware of, and hopefully now you a few good examples. Do you have any other ways that SSL can enhance features, functionality, or general security of a website you’d like to share? Post them in the comments below.