Can you trust your joomla extensions?

Comment by Martin Rasser on November 3, 2009 at 3:10pm

Checksums are great, but if people get access to the file system to tamper downloads, they surely can get access to the articles/html pages that display the checksums. Having a third party to provide the hash and making users navigating there, getting the checksum and going through the noob-pain to validate the download is beyond jumping through hoops. Also, any information about the hash can be deleted on an exploited website.

I guess a safer way to provide downloads is to outsource the whole service to a third party (joomlacode for GPL extensions, googlecode for other open source). Still, this wouldn't thwart attackers to set up a fake download page on your exploited site for their own nasty downloads.

Security practices are so much easier to disprove than to prove. Providing hashes sure are a step in the right direction. Thank you Brian for regularly posting about security, hopefully it makes people more aware of what can happen if you don't keep your eyes open!

Comment by Brian Teeman on November 3, 2009 at 3:15pm

Ddi you not read the entire post - I addressed all of these points

Comment by Martin Rasser on November 5, 2009 at 3:02pm

I meant that all information about the existence of a validation hash could be wiped from the website, then people would have to be aware of the hashes being published on the JED or wherever.

Oh, yes the Joomla 1.6 installer idea is very nice, but how can a manipulated extension be identified and matched with the corresponding checksum. Changing the identifying marks would make the extension look like something new or could even get matched with a dummy JED extension of the attacker (the latter of course would be quite a long con).

Comment