A farkon shekara, a cikin rahoto kan matsalolin Intanet da samun dama ga 2018-2019 cewa bazawar TLS 1.3 ba makawa. Wani lokaci da ya gabata, mu da kanmu mun tura sigar 1.3 na ka'idar Tsaro Layer Tsaro kuma, bayan tattarawa da nazarin bayanai, a ƙarshe mun shirya don yin magana game da fasalin wannan canji.
IETF TLS Kujerun Ƙungiya Masu Aiki :
"A takaice, TLS 1.3 yakamata ya samar da tushe don ingantaccen Intanet mai aminci da inganci na shekaru 20 masu zuwa."
Ƙaddamarwa ya dauki tsawon shekaru 10. Mu a Qrator Labs, tare da sauran masana'antu, mun bi tsarin ƙirƙirar ƙa'idar tun daga farkon daftarin aiki. A wannan lokacin, ya zama dole a rubuta juzu'i 28 na daftarin don a ƙarshe ganin hasken daidaitaccen tsari da sauƙi don turawa a cikin 2019. Tallafin kasuwa mai aiki don TLS 1.3 ya riga ya bayyana: aiwatar da ingantacciyar ƙa'idar tsaro da aminci ta dace da bukatun lokutan.
A cewar Eric Rescorla (Firefox CTO kuma marubucin TLS 1.3 kaɗai) :
"Wannan shi ne cikakken maye gurbin TLS 1.2, ta amfani da maɓalli iri ɗaya da takaddun shaida, don haka abokin ciniki da uwar garken na iya sadarwa ta atomatik akan TLS 1.3 idan dukansu sun goyi bayansa," in ji shi. "An riga an sami kyakkyawan tallafi a matakin ɗakin karatu, kuma Chrome da Firefox suna ba da damar TLS 1.3 ta tsohuwa."
A layi daya, TLS yana ƙarewa a cikin ƙungiyar aiki na IETF , bayyana tsofaffin nau'ikan TLS (ban da TLS 1.2 kawai) waɗanda ba su da amfani kuma ba za a iya amfani da su ba. Mafi mahimmanci, RFC na ƙarshe za a sake shi kafin ƙarshen bazara. Wannan wata sigina ce ga masana'antar IT: sabunta ka'idojin ɓoye bayanan bai kamata a jinkirta ba.
Jerin aiwatar da TLS 1.3 na yanzu yana samuwa akan Github ga duk wanda ke neman ɗakin karatu mafi dacewa: . A bayyane yake cewa karɓowa da goyan bayan ƙa'idar da aka sabunta za su kasance - kuma an rigaya - suna ci gaba cikin sauri. Fahimtar yadda ɓoyayyen ɓoye ya zama a cikin duniyar zamani ya yadu sosai.
Menene ya canza tun TLS 1.2?
Daga :
"Ta yaya TLS 1.3 ke sa duniya ta zama wuri mafi kyau?
TLS 1.3 ya haɗa da wasu fa'idodin fasaha-kamar sauƙaƙe tsarin musafaha don kafa amintaccen haɗi-kuma yana ba abokan ciniki damar ci gaba da zama cikin sauri tare da sabobin. Waɗannan matakan an yi niyya ne don rage jinkirin saitin haɗin kai da gazawar haɗin kan mahaɗa masu rauni, waɗanda galibi ana amfani da su azaman hujja don samar da haɗin HTTP marasa rufaffen kawai.
Kamar yadda yake da mahimmanci, yana cire tallafi don gado da yawa da ɓoyayyen ɓoyewa da hashing algorithms waɗanda har yanzu ana ba da izini (ko da yake ba a ba da shawarar ba) don amfani da sigar farko na TLS, gami da SHA-1, MD5, DES, 3DES, da AES-CBC. ƙara goyan baya don sababbin suites. Sauran haɓakawa sun haɗa da ƙarin ɓoyayyen ɓoyayyen abubuwan musafaha (misali, musayar bayanan takardar shaidar yanzu an rufaffen rufaffen) don rage adadin alamu zuwa mai yuwuwar sauraron sauraren zirga-zirga, da kuma haɓaka sirrin sirri lokacin amfani da wasu hanyoyin musayar maɓalli ta yadda sadarwa a kowane lokaci dole ne ya kasance amintacce ko da algorithms da aka yi amfani da su don ɓoye shi sun lalace a nan gaba."
Haɓaka ka'idoji na zamani da DDoS
Kamar yadda ƙila kuka riga kuka karanta, yayin haɓaka ƙa'idar , a cikin ƙungiyar aiki na IETF TLS . Yanzu a bayyane yake cewa kamfanoni guda ɗaya (ciki har da cibiyoyin kuɗi) dole ne su canza hanyar da suke amintar da hanyar sadarwar su don ɗaukar ƙa'idar da aka gina a yanzu. .
Dalilan da ya sa ake buƙatar hakan an bayyana su a cikin takaddar, . Takardar mai shafi 20 ta ambaci misalai da yawa inda wani kamfani zai iya so ya lalata zirga-zirgar ababen hawa (wanda PFS baya yarda) don sa ido, yarda ko aikace-aikace Layer (L7) dalilai na kariya na DDoS.
Duk da yake ba mu shirya yin hasashe kan buƙatun ƙa'ida ba, kayan aikin rage kayan aikin mu na DDoS (gami da mafita). m da / ko bayanin sirri) an ƙirƙira shi a cikin 2012 yana ɗaukar PFS cikin lissafi, don haka abokan cinikinmu da abokan aikinmu ba sa buƙatar yin wani canje-canje ga abubuwan more rayuwa bayan sabunta sigar TLS a gefen uwar garken.
Har ila yau, tun lokacin aiwatarwa, ba a gano matsalolin da suka shafi boye-boye na sufuri ba. Yana da hukuma: TLS 1.3 yana shirye don samarwa.
Koyaya, har yanzu akwai matsala mai alaƙa da haɓaka ƙa'idodin ƙa'idodi na gaba. Matsalar ita ce ci gaban yarjejeniya a cikin IETF yawanci ya dogara ne akan binciken ilimi, kuma yanayin binciken ilimi a fagen rage rarrabar hare-haren kin sabis ba shi da kyau.
Don haka, misali mai kyau zai kasance Daftarin IETF "Gudanar da QUIC," wani ɓangare na tsarin yarjejeniyar QUIC mai zuwa, ya bayyana cewa "hanyoyin zamani don ganowa da rage hare-haren [DDoS] yawanci sun haɗa da ma'auni ta amfani da bayanan kwararar hanyar sadarwa."
Na karshen shine, a zahiri, ba kasafai ba ne a cikin mahalli na kasuwanci na gaske (kuma wani bangare ne kawai na ISPs), kuma a kowace harka ba zai yuwu ya zama “babban shari’ar” a duniyar gaske - amma yana bayyana koyaushe a cikin wallafe-wallafen kimiyya, yawanci ba a tallafawa. ta gwada dukkan nau'ikan hare-haren DDoS, gami da harin matakin aikace-aikace. Na ƙarshe, saboda aƙalla jigilar TLS na duniya, a fili ba za a iya gano shi ta hanyar auna fakitin cibiyar sadarwa da gudana ba.
Hakanan, har yanzu ba mu san yadda masu siyar da kayan aikin rage DDoS za su dace da gaskiyar TLS 1.3 ba. Saboda rikitaccen fasaha na goyan bayan ƙa'idar da ta fita, haɓakawa na iya ɗaukar ɗan lokaci.
Ƙirƙirar maƙasudai masu dacewa don jagorantar bincike babban ƙalubale ne ga masu ba da sabis na ragewa DDoS. Wani yanki da za a iya fara ci gaba shine a IRTF, inda masu bincike za su iya haɗa kai da masana'antu don inganta ilimin kansu na masana'antu masu kalubale da kuma gano sababbin hanyoyin bincike. Har ila yau, muna ba da kyakkyawar maraba ga duk masu bincike, idan akwai wani - za a iya tuntube mu tare da tambayoyi ko shawarwari masu dangantaka da binciken DDoS ko ƙungiyar bincike na SMART a
source: www.habr.com