Sarkar amana. CC BY-SA 4.0
Binciken zirga-zirgar SSL (Decryption SSL/TLS, SSL ko bincike na DPI) yana ƙara zama babban batu na tattaunawa a cikin ɓangaren kamfanoni. Da alama ra'ayin ɓata zirga-zirgar ababen hawa ya saba wa ainihin manufar cryptography. Duk da haka, gaskiyar gaskiya ce: kamfanoni da yawa suna amfani da fasahar DPI, suna bayanin wannan ta hanyar buƙatar bincika abun ciki don malware, leaks bayanai, da dai sauransu.
To, idan muka yarda cewa ana buƙatar aiwatar da irin wannan fasaha, to aƙalla ya kamata mu yi la’akari da hanyoyin yin ta cikin aminci da ingantaccen tsari. Aƙalla kar ka dogara ga waɗannan takaddun shaida, misali, waɗanda tsarin DPI ke ba ka.
Akwai wani bangare na aiwatarwa wanda ba kowa ya sani ba. A gaskiya ma, mutane da yawa suna mamaki sosai sa’ad da suka ji labarin. Wannan hukuma ce mai zaman kanta ta shaida (CA). Yana haifar da takaddun shaida don warwarewa da sake ɓoyayyen zirga-zirga.
Maimakon dogaro da takaddun sa hannu ko takaddun shaida daga na'urorin DPI, zaku iya amfani da keɓaɓɓen CA daga ikon takaddun shaida na ɓangare na uku kamar GlobalSign. Amma da farko, bari mu yi ɗan taƙaitaccen bayani game da matsalar kanta.
Menene binciken SSL kuma me yasa ake amfani dashi?
Yawancin gidajen yanar gizon jama'a suna ƙaura zuwa HTTPS. Misali, a cewar , a farkon Satumba 2019, rabon ɓoyayyiyar zirga-zirga a Rasha ya kai 83%.
Abin takaici, ɓoyayyen hanya yana ƙara amfani da maharan, musamman tunda Mu Encrypt yana rarraba dubban takaddun SSL kyauta ta hanyar sarrafa kansa. Don haka, ana amfani da HTTPS a ko'ina - kuma makullin da ke cikin mashin adireshi mai bincike ya daina aiki a matsayin amintaccen alamar tsaro.
Masu kera mafita na DPI suna haɓaka samfuran su daga waɗannan matsayi. An haɗa su tsakanin masu amfani da ƙarshen (watau ma'aikatan ku da ke bincika gidan yanar gizo) da Intanet, suna tace zirga-zirgar ɓarna. Akwai adadin irin waɗannan samfuran a kasuwa a yau, amma hanyoyin da gaske iri ɗaya ne. Hanyoyin HTTPS suna wucewa ta na'urar dubawa inda aka ɓoye ta kuma an bincika don malware.
Da zarar an gama tabbatarwa, na'urar ta ƙirƙiri sabon zaman SSL tare da abokin ciniki na ƙarshe don yankewa da sake ɓoye abun ciki.
Yadda tsarin ɓoyewa/sake ɓoyayyen ɓoyayyen ke aiki
Domin na'urar binciken SSL ta ɓata kuma ta sake ɓoye fakitin kafin aika su zuwa ƙarshen masu amfani, dole ne ta sami damar ba da takaddun shaida na SSL akan tashi. Wannan yana nufin cewa dole ne a shigar da takardar shaidar CA.
Yana da mahimmanci ga kamfani (ko duk wanda ke cikin-tsakiyar) cewa masu bincike sun amince da waɗannan takaddun shaida ta SSL (watau, kar a jawo saƙonnin gargaɗi masu ban tsoro kamar na ƙasa). Don haka sarkar CA (ko matsayi) dole ne ta kasance a cikin shagon amintaccen mai binciken. Saboda ba a bayar da waɗannan takaddun shaida daga amintattun hukumomin takaddun shaida ba, dole ne ku rarraba matsayi na CA da hannu ga duk abokan ciniki na ƙarshe.
Saƙon faɗakarwa don takardar shedar sa hannu a cikin Chrome. Source:
A kan kwamfutocin Windows, zaku iya amfani da Active Directory da Manufofin Rukuni, amma don na'urorin hannu tsarin ya fi rikitarwa.
Halin yana ƙara rikitarwa idan kuna buƙatar tallafawa wasu takaddun shaida a cikin mahallin kamfani, misali, daga Microsoft, ko bisa OpenSSL. Bugu da kari kariya da sarrafa maɓallan sirri ta yadda kowane maɓallan kada ya ƙare ba zato ba tsammani.
Mafi kyawun zaɓi: masu zaman kansu, takaddun tushen tushen sadaukarwa daga CA na ɓangare na uku
Idan sarrafa tushen tushen da yawa ko takaddun shaidar sa hannun kai ba su da daɗi, akwai wani zaɓi: dogaro da CA ta ɓangare na uku. A wannan yanayin, ana ba da takaddun shaida daga masu zaman kansu CA wanda ke da alaƙa a cikin sarkar amana zuwa sadaukarwa, tushen CA mai zaman kansa wanda aka kirkira musamman don kamfani.
Sauƙaƙen gine-gine don sadaukarwar tushen takaddun abokin ciniki
Wannan saitin yana kawar da wasu matsalolin da aka ambata a baya: aƙalla yana rage yawan tushen da ake buƙatar sarrafawa. Anan zaku iya amfani da ikon tushen sirri guda ɗaya kawai don duk buƙatun PKI na ciki, tare da kowane adadin CAs na matsakaici. Misali, zanen da ke sama yana nuna matsayi da yawa inda ake amfani da ɗayan matsakaicin CAs don tabbatarwa/decryption ɗin SSL kuma ɗayan ana amfani dashi don kwamfutoci na ciki (kwamfutoci, sabar, tebur, da sauransu).
A cikin wannan ƙira, babu buƙatar ɗaukar bakuncin CA akan duk abokan ciniki saboda babban matakin CA yana karɓar bakuncin GlobalSign, wanda ke warware mahimman kariyar sirri da al'amurran karewa.
Wani fa'idar wannan hanyar ita ce ikon soke ikon binciken SSL saboda kowane dalili. Madadin haka, an ƙirƙiri wani sabo kawai, wanda aka ɗaure da tushen sirri na asali, kuma zaku iya amfani da shi nan da nan.
Duk da duk rikice-rikicen, kamfanoni suna ƙara aiwatar da binciken zirga-zirgar SSL a zaman wani ɓangare na kayan aikin su na PKI na ciki ko masu zaman kansu. Sauran abubuwan amfani don PKI masu zaman kansu sun haɗa da bayar da takaddun shaida don na'ura ko amincin mai amfani, SSL don sabobin ciki, da jeri daban-daban waɗanda ba a yarda da su cikin amintattun takaddun shaida na jama'a kamar yadda Dandalin CA/Masu bincike ya buƙata.
Masu bincike suna yaƙi da baya
Ya kamata a lura cewa masu haɓaka burauzar suna ƙoƙarin fuskantar wannan yanayin da kuma kare masu amfani da ƙarshen MiTM. Misali, 'yan kwanaki da suka gabata Mozilla Kunna ka'idar DoH (DNS-over-HTTPS) ta tsohuwa a cikin ɗayan nau'ikan burauza na gaba a Firefox. Ka'idar DoH tana ɓoye tambayoyin DNS daga tsarin DPI, yana sa binciken SSL yana da wahala.
Game da tsare-tsare makamancin haka Satumba 10, 2019 Google don Chrome browser.
Masu amfani da rajista kawai za su iya shiga cikin binciken. don Allah.
Kuna tsammanin kamfani yana da hakkin bincika zirga-zirgar SSL na ma'aikatansa?
-
Ee, tare da yardarsu
-
A'a, neman irin wannan izinin haramun ne kuma/ko rashin da'a
Masu amfani 122 sun kada kuri'a. Masu amfani 15 sun kaurace.
source: www.habr.com