We've been working hard in the last couple of weeks to deliver the most feature rich DPCalendar version to our friends and community. The DPCalendar 4.0 release is a new milestone in the area of Digital Peak as we provide now an all in one event experience. The users can navigate through your events on the ajax based intuitive interface or based on locations. Let them attend the events and if needed let them pay for it through our new payment plugins "Manual payment" or "PayPal payment" (more payment plugins will come soon). Send out notifications to get them back to your site. Or do you need to import unlimited Google calendars. We have it now! Read on for a more detailed list of killer features in this release.
A long demandig feature request was to support some payment processors for attendancees to extend DPCalendar to a reservation system. You can now define in the attending options of DPCalendar a price the attendee has to pay for and a payment type with which she/he has to do the payment. On the attending form the visitor can to choose then from one of this options to make the payment.
It sounds like a simple addon but in the background we had to make big changes as it was needed to completely revamp the old workflow. We are proud now to deliver such a feature to you. In the future we will implement more payment gateways like 2checkout, authorize.net or more. We will see what er the biggest needs from our customers.
Since the beginning, DPCalendar was designed to support external calendar sources like Facebook pages, CalDAV servers, MS Exchange, Google calendar or more in a seamless way that the visitor will get insights into ALL your events on your Joomla site in one place. We had a limit of 10 calendars per external calendar plugin which was enough for most of our customers but not all. Because of that we implemented in the plugin options a completely new external calendar system which enables the site admin to add as many external calendars as needed.
For the most popular plugins like Google calendar, Facebook pages or CalDAV servers (iCloud, ownCloud, etc.) we made some importers for a hassle free quick setup.
We packed the verison 4 with tons of new nice little features. We have now an Xmap plugin to add your events easily to your sitemap. A new finder plugin integrates the DPCalendar events into smart search and events from Google can be edited directly in DPCalendar. The changes will be written back to Google immediately. To prevent spam events you can force certain user groups to add a captcha code when editing an event in the front.
Some legacy features like jQuery UI themes are removed in this version and we come now with single installer files for every kind of subscription. If you add the download ID we even support the Joomla core updates. Means you don't have to go extra to the DPCalendar control panel and do the update manually. You will get notified through the Joomla updated manager where the updates can be don through it.
Since I put my shoes into the IT world I'm an advocate of Open Source, that's the reason why I started to use Joomla. In my first years of Joomla extension development I gave away my extensions for free with the same passion or even more as I would get payed for it. So became GCalendar one of the most popular Joomla extension. The demand of the community increased and I decided to make a commercial version of GCalendar. DPCalendar was born! DPCalendar grow and became mature with a much more advanced feature set than it was ever possible with GCalendar. At the same time I wanted to give the Joomla community something back, that's the reason why we are offering a FREE version of DPCalendar which as basically the next step in the evolution of GCalendar. If you are a GCalendar user please read the migration guide how to do the transition from GCalendar to DPCalendar.
Sincerly
Allon Moritz (aka laoneo) founder of Digital Peak
By now security and Web experts all over the world have gone berserk over a new – and exceedingly terrifying – vulnerability in the latest versions of OpenSSL called Heartbleed. Since the Joomla! CMS is in use by some of the world’s largest companies for their websites, and since OpenSSL is in use by many, many LAMP architectures (not only by Linux, but also by Apache), and since LAMP is the platform Joomla mostly runs on, we thought we’d give you a quick rundown on what the Heartbleed vulnerability means, whether you are affected by it, and what you can do to fix it.
Firstly, though, let’s give the good news first. If you are in total control over your Joomla website (especially the LAMP part), then you can easily fix Heartbleed on your website (and we’ll tell you how later on). If you are using WIMP or some other SSL implementation library (such as Microsoft’s SChannel or GnuTLS), then rejoice! for the Heartbleed vulnerability does not affect your website in the least. If you are using an older version of OpenSSL (i.e. 1.0.0 or lower), there is no corresponding vulnerability. And of course, if your website does not use SSL/TLS, then this is not an issue for it either.
Now, the bad news. OpenSSL is one of the most popular Free and Open Source (FOSS) SSL/TLS implementation libraries on the world, and Heartbleed affects all OpenSSL 1.0.1 releases until 1.0.1g (which was when it was patched and released on 7th April 2014). Since 1.0.1 came out in 2012, this means that this vulnerability has been around for about 2 years. So, even if your Joomla-powered website is not affected, you probably are. A worst-case scenario shows that about 66% (or 2/3) of the Web could be affected; a more realistic estimate is about 17%-18%, which is still significant (especially if it’s the right – or in this case wrong – 17%-18%).
So what is the Heartbleed (CVE-2014-0160) bug? In essence, it is an implementation bug (not inherent in the actual protocol) involving TLS (more specifically, the TLS heartbeat extension as specified in RFC6520). Some developer of OpenSSL back in 2012 missed a bounds check, which led to an attacker being able to read up to 64kb of process memory on either the implementing server, or a connected client (albeit to an ‘evil’ server).
The problem is that 64KB of RAM is the limit for a single Heartbleed attack. Attackers can spawn any number of attacks, thus reading any arbitrary amount of RAM they want to read that has been allocated to the process. And on a webserver, that includes the most critical component of SSL, the server’s secret/private key used to generate the SSL certificates. That key has to be in RAM, because that’s what is used to decrypt the SSL/TLS-encrypted data. While it can also uncover other bits of data (e.g. usernames, passwords, financial information), that’s not as critical as the fact that it can effortlessly conduct man-in-the-middle attacks and even impersonate the webserver. Imagine the ramifications for major banks and cloud storage providers, for instance.
So, if your website is affected, what can you do about it? For your Joomla-powered website, check and make sure that all of the OpenSSL libraries you’re using (OS and Web server, but possibly also your Joomla extensions) have been updated to the latest version (1.0.1g) or have been patched (many Linux distributions are patching 1.0.1f, and others are backporting the patch all the way back to 1.0.1). After patching or installing the latest version, restart your server (probably best to do a cold boot if you can). If your website is a hosted one, your options are more limited; you will have to bug your webhost to upgrade their systems – but most responsible webhosts should be doing so within the week anyway.
You then need to revoke your existing certificates and create new private keys and fresh certificates (see if your certificate vendor will give you a discount or even make it free). Use a checker like https://lastpass.com/heartbleed/ or https://www.ssllabs.com/ssltest/index.html to verify that your server’s security is no longer compromised. And most importantly, tell your users that you have already fixed the Heartbleed problem, so they should reset their passwords immediately.
This is quite possibly the worst-case scenario for Internet security since the inception of Internet security. It definitely blows the Snowden disclosures out of the water in terms of its impact – it’s a truly global issue and affects everybody.
With the impending release of Joomla 3.3, the Joomla Core development team has taken the decision of increasing its minimum PHP requirements to version 5.3.10 due to security reasons – as the team explains, it was due to “a significant change made in the PHP 5.3.x series leading up to PHP version 5.3.10 that substantially enhances the level of cryptography that can be used for securing passwords.” Given the number of revelations concerning the “Big Brother”-like global electronic surveillance systems run by various national intelligence services, this is definitely a step in the right direction. But much remains to be done, and now is the time to get ready for the (post-Snowden) brave new World Wide Web.
The past 2 years have been horrid, in terms of security news. Various user information databases have been hacked and cracked, some of which belong to giant names including LinkedIn, Yahoo! and the latest one, Adobe. Dropbox, one of the most popular cloud storage services, has been cracked numerous times. And of course, the granddaddy of all security news, the Big Bad NSA. While it is unlikely that most of us really have sensitive data in need of being secured from the government (nobody here’s using Joomla to serve up a bomb-making forum, right?), there are still valid reasons to ensure our websites are secure (EU regulations being just a part of it). So here are some things to consider when upgrading to Joomla 3.3 – not very difficult to do, but it may require you to spend some money on security.
More and more, websites are beginning to use encrypted connections not only during user authentication, but for every individual user session. With open wireless hotspots becoming very popular, not only the major email players such as Google, Yahoo!, and Hotmail are doing this, but most social media and cloud storage providers have started as well. Firefox has an extension called HTTPS Everywhere, which attempts to enforce the use of encrypted connections wherever sites support them. If your Joomla website stores user details (including passwords and financial information), then you need to consider enabling HTTP Strict Transport Security, which means getting an SSL certificate (or even an Extended Validation certificate). We at Digital Peak take security very serious and have enabled HTTPS for every logged in user or purchase.
Stronger cryptography or not, storing passwords directly is a recipe for disaster. Your Joomla website, if it requires user authentication, needs to be storing and comparing password hashes, optionally (and preferably) individually and randomly salted. You can also help your users choose strong passwords by enforcing certain password requirements (minimum length, require alphanumeric + special characters, password expiry etc.) which can be automated by the use of Joomla password extensions.
Many financial institutions and other companies who provide high-value services have dispensed with the simple username/password combination, requiring in addition a one-time code/token as well. This token is usually generated on-the-fly by a hardware device (or software equivalent installed on a mobile device); alternatively, it may be sent via SMS. In either case, it required both something you know (password) and something you have (your mobile phone or hardware device) to log in; hence the name 2-factor. Joomla 3.3 natively supports the use of the software-only Google Authenticator as well as Yubico’s YubiKey (this feature was added in version 3.2), and several extensions add the ability to earlier versions of Joomla. You may also consider using services such as Duo Security to do the same thing.
We have enabled two factor authentication on our site as well, means you can enable your preferred method in your account settings. On our login page you can see the secret key to input. No need to wait to make your account even more secure at joomla.digital-peak.com!
With the lockdown of Joomla 3.3’s feature set, and with its Release Candidate set to come out within days, this is a good time to understand the ins and outs of this new version of Joomla, and what it may mean for you, whether as a user or as an extension developer, moving forward from here. Joomla 3.3 is not the massive upgrade that Joomla 3 was. It does not feature any significantly different ways of doing things, nor does it introduce any new libraries or paradigms that would force you to rethink the way you’re working now; Joomla’s core developers are focussing on working on their feature requests backlog and on code optimisation. Nevertheless, there are a few aspects that might be worth your while investigating:
One of the bigger issues you may have to work with is the migration from the MooTools Javascript framework to jQuery (which was done back in version 3, to support Bootstrap). As we’ve mentioned in an earlier post, and amply supported by the Joomla support forums, the migration process is not without its challenges. Joomla’s core developers are likely to take a couple of iterations before everything that used to be done using MooTools is now done in jQuery. Nevertheless, at some point, Joomla will likely drop support for MooTools altogether, and so it might be a very good idea to figure out how to deploy using jQuery yourself.
With the increased prevalence and reliance of not only home users but also large corporations on services that offer mass storage online (or in the cloud, as it is commonly called), support by Joomla for the more well-known cloud storage providers would be a highly welcome feature. But this means that there would also exist much opportunity for extension developers to craft value-added features; for example, through the use of GnuPG or other Public Key Infrastructure (PKI) systems to provide at-rest encrypted storage for services lacking this facility, or the transparent integration of multiple cloud vendors into a single virtual storage space. You can even create an extension that extends such cloud storage support by Joomla to lesser-known providers.
With the widespread support of major global search engines (including Google, Bing, Yahoo!, Yandex) for microdata formats to enrich and enhance search engine results, the Web is coming back to the roots of the Internet, which was primarily a tool for academia. Microdata formats and structured data (such as that defined by Schema.org) make it easier for machines to understand your Joomla website’s content. Given how database-centric most CMSes (including Joomla) are, and how critical search engines are in exposing websites to the world, it’s a good idea to acquaint yourself with the basic concepts behind structured data, and how to best use Joomla’s upcoming support of microdata to make your website shine (at least to the search engines).
As you can see, much of what Joomla 3.3 has to offer is iterative and incremental, rather than profoundly game-changing (and, in fact, is heavily based on what came out of Google’s Summer of Code 2013). Given that a Joomla 3.2 update is going to be released on the same day as the final version of 3.3, this is a great time to brush up on what will become Joomla’s future.
2014 promises to be an eventful year for the Joomla! CMS (pun intended). Of particular interest to us is the release of Joomla 3.3 (which we will cover in our next post), because of its various changes. However, what we’re focusing on in this post is not so much Joomla itself, but the people who are behind it, who code and develop for it, and the people who deploy (i.e. use) Joomla for the website(s) they build.
One of the strengths of Joomla as a CMS is that it has an active and vigorous community of both developers and users. All throughout the year, various meet-ups and conventions focused on Joomla get organised – not only for hardcore evangelists, but for ordinary Joomla folks as well. Yes, there are lots of Joomla! events going on all over the world! Here are a selection of those events:
Saturday 22nd and Sunday 23rd March 2014
Dutch Joomla! Days – Zeist, the Netherlands (The “Bootstrap on Joomla” giant, Joostrap, is taking part in this one)
Friday May 30th – Sunday June 1st 2014
J and Beyond – Konigstein, Germany (this is a HUGE event, try not to miss it!)
But if you’re in Asia instead, you can attend the Joomla User Group meeting:
Wednesday March 5th 2014
Joomla User Group Pune meeting- Maharashtra, India
Even Africa has a Joomla! Day; in Algeria, of all places. Best if you spoke French if you wanted to attend:
Thursday May 15th and Friday 16th May 2014
Joomla! Day Algeria –Sidi Abdellah, Algeria
And as for Americans, there are easily half a dozen meetings that have been set up to date. Sadly, Oceania and South America are under-represented for the time being – but the year is young, so who knows?
For more information on these and other events, visit the following sites:
https://www.facebook.com/joomla
In addition, consider attending conferences and events of the other open source CMSes around – WordPress has an official WordCamp in San Francisco every year, for instance – and Joomla people have been known to cross-pollinate at such conferences.