Blog


Sensitive data encryption in Jomres

I am aiming to make the next version of Jomres compatible with the GDPR. To that end I will be adding several new features that I would appreciate feedback from the community with.

 

This is really important and if you are a user of Jomres, I strongly encourage you to get involved with testing this new functionality.

Today I have merged new code into the Nightly branch which contains a significant feature update that will be available in the next version of Jomres. As a result I need to ask the community to help us with testing this new functionality. The new branch merged today brings user encryption to the database, and this is available to both free users and users with licenses.

Why do we want to encrypt user data?

Data that is stored in the database is considered to be "data at rest". Whilst not strictly speaking covered by the GDPR, I am of the opinion that this is the right time to introduce this hardening of the system.

By now you're probably aware that Google is placing a very high premium on websites that serve their pages through the HTTPS protocol. The purpose of this is to ensure that your communications with HTTPS protected sites cannot be observed by third parties while that data is in transit ("data in motion"). This is all well and good, however once that arrives at the remote server that data is then stored in the website's servers in plain text form. Essentially there are columns for the guest's name, and the guest's name could be easily read by anybody who has access to the database. The same goes for other Personally Identifiable Information (PII) such as email addresses.

Normally this isn't problematic because in the usual course of operations only authorised people can see that guest's details. What happens, however, if the database should somehow be compromised by an attacker? You're probably thinking that your business is too small, nobody's going to be interested in your guest's (or your) details, and you'd be wrong.


On the other hand, breaches of data security are inevitable. Every security professional is taught from day one that with the complexity of modern networks, the scope of the threat landscape, and the breadth of user behaviour and understanding, guarantees of security cannot be given.

Your data will be misappropriated at some point.
GDPR – Is Data Encryption Really Necessary?

I have always worked hard to ensure that Jomres and it's plugins are as secure as I can possibly make them. The new functionality introduced today further secures your guest's data. It will create new columns in the Jomres tables that store sensitive guest and manager details such as names, addresses, telephone numbers and email addresses. The installer will convert the existing guest and manager details so that they are securely encrypted and stored in these new columns and any future data stored will be encrypted. This should ensure that in the event that the database becomes compromised, PII does not fall into the hands of the wrong people.

How can you help?

Jomres users who are interested in working with new features before they have been released can easily install the Nightly branch onto their Staging/Development servers ( you should never install Nightly onto a Production server ). To see how to do that, please visit the "Installing/Updating to the Nightly branch" page on the manual. The process is simple and is the same as updating Jomres normally.

Once you have updated your Jomres installation it should show in the administrator area > Jomres control panel that the version is 9.11.0. You should now update the plugins too, as to date 21 plugins have also been modified.

What should you expect to see different to before?

If all goes well, absolutely nothing should be visually different. You should still be able to view guest lists, edit their details, see their details in invoices etc. The changes, whilst extensive, are all in the underlying code. If you view your xxxxx_jomres_guests or xxxxx_jomres_guest_profiles tables you should now see that the easily visible guest details are missing, and instead some new "blob" columns have been added.

In the root of your Jomres installation (e.g. /public_html/jomres/) you should see a new file called encryption_key.class.php. You should never, ever delete this file as it contains the key that the encryption library requires to decrypt the guest and manager's PII. If you lose this key, you will not be able to view your guests details again.

Once you have updated to the Nightly, then proceed to use Jomres as you would normally. If you come across any anomalies, or if you should find that you are unable to update at all, please do not hesitate to contact us on the ticket system at https://tickets.jomres.net where we will work with you to identify the problem.

 

  • Created on .

ABOUT US

Vince portrait smallaladar

Developed and maintained by Vince Wooll and Aladar Barthi, Jomres was initially conceived in early 2005 as a Mambo based solution to a client’s hotel management needs. While it wasn't originally expected to be an online booking system it quickly morphed into one as users requested more and more features.

As the number of feature requests grew Vince knew that he would need to dedicate more time to the project and in July 2005 Jomres was formally released as a commercial project. Since then, Jomres has become one of Mambo’s, and now Joomla’s, longest running projects. It has survived various versions of Mambo, then Joomla 1.0, 1.5, 1.6, 1.7, 2.5 and 3.

Aladar joined the project in 2010 after using Jomres for his own projects. He was active on the forum, helping other members of the community and eventually Vince invited him to join the team. He has since become an integral part of the project and has contributed significantly to it's development over the years.

Whilst not formally part of the Jomres project, Rodrigo Rocco and the team have become firm friends. Rod is a freelancer who specialises in doing custom work for Jomres users and developing custom plugins for the system that take advantage of it's modular design. He has built many useful extensions including his fabulous new Valentina Template Package.

 

Jomres and the Jomres Logo is trademarked and can't be used without written consent from the owner.

www.jomres.net is not affiliated with or endorsed by the Joomla! Project, Open Source Matters or the WordPress project. The Joomla! & WordPress names and logos are used under a limited license granted by Open Source Matters and the WordPress Projects.

© Copyright 2005 - 2018 Woollyinwales IT.