Support

Dear team, I was wondering if you could give me a short answer about the following:

Is the website still secure against common https / SSL vulnerabilities with AdminTools, even though no https / SSL used? I am no expert in the field of security and rely fully on AdminTools. The website in mention does not have any payment details of the users stored, but the question has risen lately by a customer of this website.

If there are vulnerabilities, what would they be and how could they be resolved?

All best,
D.

They actually do two different things.

Admin Tools protects your site from various types of attacks.

The https protocol protects the communications between the user and your site by encrypting the data while it is being transmitted over the internet.

thanks for the quick reply.
i understand that, but still have two questions:

1. if somebody manages somehow to get hold of the login data of only one registered user (only frontend) on a non-https site, is there a possibility to get hold of the data of other users as well with only the captured login data of the above mentioned user? i would say no, but again you are the experts!

2. again, same scenario as above, but this time trying to change / alter the recipient data of a shipment / package? would AdminTools be able to detect such a change, or not at all because it happens before anything gets transmitted to joomla from the browser? if so, are there any ways to prevent such changes without using https / ssl?

1. No. The passwords are not actually stored in the site. A hash of the password is stored there. No matter what access you have, you can't see someone's password. Even you can not see the passwords. When a user types in a password, that input is hashed and the two hashes are compared. So the site does not check the password, it checks the hash of the password.
   
   If you had database access, you could change a user's password, make changes to the account, then change the password back. But you don't get database level access from a front end user account.
2. Probably not. It would be up to the application software to prevent one user from changing another user's order or shipping information. Neither Admin Tools or https would have any effect within the application software.

The https protocol would protect the data "in the wire" between the user and the server. If someone intercepted the data being transmitted - a "Man in the Middle" attack - then they could potentially change the data and send the changed data on to the site. https would encrypt the data in transmission, making it impossible to read and change it.

great, thanks for clarifying!

You are welcome!

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.