Security Changes in YourSites Version 1.1.0

YourSites version 1.1.0 includes a few security enhancements - these are summarised below.

Elmination of Timed PHP Hash Comparisons

YourSites version 1.1.0 improves the way we validate calls from the YourSites server to the client sites so as to avoid a theoretical timing attack (see This risk was, however, negligible in version 1.0.0 since each hash was only used once (see below for more detail) and due to the high variability of timing of web requests.

Use of More Sophisticated Hashes and Tokens

Each time a request for action from YourSites comes into the client site it generates a new randomly generated tokens on the client site and asks the YourSites server to encrypt this token with the private key stores on the YourSites server - before the client site performs any of the requested actions. These tokens are used once and discarded the first time an attempt is made to use them (whether the encryption is valid or not) - therefore there is no mechanism for an attacker to make multiple attempts to break the same hash encryption.

Theoretically, if you were to suffer a "Man in the Middle" (MITM) attack, where a prospective hacker intercepts a request over an insecure (non-https://) connection between your YourSites server to the client site they could make repeated attempts to execute an action in an attempt to try to find the private key (based on the encrypted value intercepted from the server). In version 1.0.0 the encrypted hash used basic hashing algorithm - relying on the length of the string being hashed for security, equivalent to a password 60+ characters long.

Even though this risk was very small in version 1.0.0, in version 1.1.0 we have tightened up the hashing algorithm to use a bcrypt based randomly salted encryption with an added calculation cost penalty.

Of course you should ALWAYS ensure that your YourSites server and client sites are all running/connecting on https:// URLs to protect against the risk of evesdropping or MITM attacks. See for more details on https and the protection it offers.

Adding Request Signatures

In version 1.1.0 we used a hash of the request data and of files to be installed to ensure that they have not been tampered with. This way any requests over insecure connections can't be intercepted by a MITM attacker and the payload replaced or the request modified.

MITM on client server registration

There is a risk over insecure connections (open WiFi nodes, non-https URLs etc.) that the process of installing the client package could be intercepted between browser and client site and the installation package being replaced with a new package that replaces the server with malicious one. Or the one time message that connects the client to the server could be intercepted and the site specific security token captured.

This risk is equivalent to installing any extension on a Joomla site - so you should always make sure you only install software from providers you trust and always use https:// connections and avoid open WiFi connections where possible.

If you are concerned about this risk of the one time connection from the client to the server to receive the site specific security token then you should add your sites manually to YourSites and then to the use the 'Site Specific Client' download package (which already includes a site specific security token) and install the relevant package on a https:// connection on the appropriate client site.

Finally ALWAYS check the connection between your YourSites server and the client site works as soon as you install the client package.

Putting it All Into Context

There were theoretical security shortcomings in version 1.0.0 of YourSites - mainly where were neither the YourSites server or client site was running on a https:// connection. However these risks were, in essence, the same security risk as installing extensions on a Joomla site on an insecure http:// connection or over open WiFi networks.

We love every single one of our users, without you YourSites simply couldn't happen! So we would love a review at the Joomla! JED so we can let others know about us too, please take a minute to write a review:

If you feel you have something negative to say, we would implore you to speak to us first, as we really really don't want anyone to be unhappy!