The Joomla! Community Portal ™

Wed

29

Jan

2014

Raising The Bar On Security
Written by Michael Babker   
Wednesday, 29 January 2014 17:15

Starting with Joomla! 3.3, the minimum required PHP version is being raised to PHP 5.3.10!

There, I said it! No gunshot wounds? Great, so here's the scoop …

This post will cover:

  • Why change now?
  • Why wasn’t the requirements bar set higher from the beginning of 3.x?
  • How will extensions be affected?
  • Will I get any warning? What do I need to look for?
  • tl;dr … What will happen if my host is NOT Joomla! 3.3 Ready?

Lets start with, "Why change now?"

Joomla! 3.3 R3ady?The Joomla! 3.x series should culminate with the Long Term Stable (LTS) release within a year, and after that will be supported for at least another 2 years. There was a significant change made in the PHP 5.3.x series leading up to PHP version 5.3.10 that substantially enhances the level of cryptography that can be used for securing passwords. Knowing how long Joomla! 1.5 and 2.5 sites may remain in use, it is easy to predict that Joomla! 3.x sites will be around well beyond the series reaching End-Of-Life three years from now. No one running a 3.x site wants to experience security breaches, nor do we want the bad press for not properly protecting against them. With the constant advances in hacking techniques, it would be a tremendous disservice to the Joomla! community to not take advantage of the far more secure cryptographic algorithms that became available in PHP 5.3.10 and make it available for the next LTS release.

Our Production Leadership Team (PLT) could have selected the path of writing conditional tests and using software appropriate to the PHP features found on each server. The PLT chose not to. Security is already complicated, involving a lot of complex code, and adding that flexibility to accommodate servers put in service three years ago and not updated since, is a performance penalty everyone would have to bear for the convenience of a few older and unmaintained hosting company servers. Instead, we are making the more secure password cryptography available for use in the eventual Series 3 LTS release by rolling it out in the 3.3 release, and enabling its use by default for all new Series 3 based websites.

Website security is on everyone's mind and with the recent massive Target Stores credit card data and Adobe subscription password compromises in the news, even CMS site owners are becoming more aware of security. Joomla! has always handled security with the utmost of respect. Even today, nearly a year after Joomla! 1.5 reached End-Of-Life, Joomla! 1.5.26 sites are very secure as long as the latest post-end-of-life patch has been applied. Last week's post about major hosts shutting down sites was based on hosting companies spreading unwarranted FUD (Fear, Uncertainty and Doubt) about vulnerabilities they found in Joomla! 1.5 sites that had NOT been updated to the latest release and patch, plus the risks associated with ANY software that still runs on PHP 5.2!

Any other benefits to this change? With the features included in Joomla! 3.2 and coming in Joomla! 3.3, we are enabling users to set up one of the most secure CMS solutions available.

Should we have set the bar higher at the beginning of the Joomla! 3.x series?

Perhaps, particularly if we had benefit of the knowledge we gained from our recent experiences. The challenge faced back in the Summer of 2012 was predicting the minimum PHP features developers would need access to in the Fall of 2014, as the 3.x Series reaches LTS. That requires one heck of a crystal ball! And for both the Joomla! 1.5 and 2.5 series, the predictions made at the start of those Series worked amazingly well.

One of the challenges that we experienced last November with the rollout of improved security features in Joomla! 3.2 was discovering the astonishing number of major hosts that have servers that are running significantly outdated software. We also discovered virtually none of our many testers in the community had servers old enough to discover that there could be issues caused by the oldest versions of PHP. As much as we would like Joomla! installable on as many hosts and servers as possible, it's like dropping support for IE6. The time has come to quit holding back the security of our software to run on the unmaintained machines of the lowest common denominators in the hosting market.

I'm curious, just how old is old?

Some specifics. The latest PHP release is 5.5.8. PHP 5.2 reached End of Life January, 2011; that's three years ago, yet too many Joomla! 1.5 sites are still on it! When the Joomla! 3 series came out in 2012, we set the Minimum at PHP 5.3.1 released November 2009, which was current software until March 2010. With this change, the minimum we are moving to is PHP 5.3.10, released in February 2012 and which was the current release until April 2012. So this issue affects servers put in service in early 2012 and not updated since then.

How will extensions be affected?

They shouldn’t. By design, the Joomla! 3.x Series is supposed to be backwards compatible from the first release of 3.0 to the Long Term Stable release of 3.5. This is so extension developers do not have a moving target once they have updated their extension to work properly with the Series 3.x API.

This announcement doesn't change backwards compatibility for well-written extensions. All extensions that properly use the Series 3.x API should be completely unaffected. Those few extensions that partially replace Joomla!'s core account creation and login plug-ins with their own security and authentication should be tested by the extension developer before J! 3.3 is released.

Will I get any warning? What do I need to look for?

Yes, the next Series 3.x release, Joomla! 3.2.2 is projected to be released next week and on installation it will test the PHP version of your server. If it is not PHP 5.3.10 or higher, a post-installation message will report that your server is NOT Joomla! 3.3 Ready. If you don't get a message, all is good!

If you want to go check right now, login to the Administrator and click on System => System Information => PHP Information and you will see your server's PHP version.

What will happen if my host is NOT 3.3 Ready?

First, no harm will come to your site. Starting with 3.2.2, a new feature in the core update system will test your PHP version and if your server is not Joomla! 3.3 ready, these updates will not be able to install code that your server cannot support. Also, for the six months after Joomla! 3.3 is released, the Joomla! Project will be releasing Security Updates for both 3.2 AND 3.3 (as well as 2.5) so any new vulnerabilities can be promptly patched with a one-click update without the need to immediately update to Joomla! 3.3, giving you time to request your hosting provider to update their PHP version. It is important to remember, however, that this is just a six-month grace period, and you will eventually need to update beyond Joomla! 3.2 to continue receiving security updates.

You have two options. The easiest is to request your hosting company to simply relocate your site onto one of their more recently deployed servers that is running PHP 5.3.10 or later. If that doesn't work, or you are nervous about their maintenance and service and would rather move on, you have plenty of time to transfer your site to one of the many hosting services that offer more up-to-date server software. You have until October 2014 to get this solved so you can one-click update to the Series 3.x LTS release when it becomes available.

Questions or Comments? Join the discussion at: http://forum.joomla.org/viewtopic.php?f=704&t=833872

My thanks to Duke Speer, the Marketing Working Group, and the Joomla! Leadership Team for helping prepare this post.