Rabin shafuka , kuma adadin su yana karuwa akai-akai. Yarjejeniyar tana rage haɗarin kutsewar zirga-zirga, amma ba ta kawar da yunƙurin kai hari kamar haka. Za mu yi magana game da wasu daga cikinsu - POODLE, BEAST, DOWN da sauransu - da hanyoyin kariya a cikin kayanmu.
/flickr/ / CC BY-SA
POODLE
A karon farko game da harin ya zama sananne a cikin 2014. An gano rauni a cikin ka'idar SSL 3.0 ta kwararre kan tsaro Bodo Möller da abokan aikin Google.
Mahimmancinsa shine kamar haka: dan gwanin kwamfuta yana tilasta abokin ciniki don haɗi ta SSL 3.0, yana kwaikwayon cire haɗin gwiwa. Sannan yana bincike a cikin rufaffen Saƙonnin tag na musamman na yanayin zirga-zirga. Yin amfani da jeri na jabun buƙatun, maharin zai iya sake gina abubuwan da ke cikin bayanan sha'awa, kamar kukis.
SSL 3.0 tsohuwar yarjejeniya ce. Amma tambayar lafiyarsa har yanzu tana da muhimmanci. Abokan ciniki suna amfani da shi don guje wa matsalolin daidaitawa tare da sabobin. A cewar wasu bayanai, kusan 7% na 100 dubu mafi mashahuri shafukan . Hakanan gyare-gyare zuwa POODLE wanda ke nufin mafi zamani TLS 1.0 da TLS 1.1. Wannan shekara sabbin hare-haren Zombie POODLE da GOLDENDOODLE waɗanda ke ƙetare kariyar TLS 1.2 (har yanzu suna da alaƙa da ɓoyewar CBC).
Yadda zaka kare kanka. A cikin yanayin POODLE na asali, kuna buƙatar musaki tallafin SSL 3.0. Koyaya, a cikin wannan yanayin akwai haɗarin matsalolin daidaitawa. Wata madadin mafita na iya zama tsarin TLS_FALLBACK_SCSV - yana tabbatar da cewa musayar bayanai ta SSL 3.0 za a yi kawai tare da tsofaffin tsarin. Maharan ba za su ƙara iya fara rage darajar yarjejeniya ba. Hanya don kariya daga Zombie POODLE da GOLDENDOODLE shine a kashe tallafin CBC a cikin aikace-aikacen tushen TLS 1.2. Maganin mahimmanci zai zama canzawa zuwa TLS 1.3 - sabon sigar ka'idar ba ta amfani da ɓoyewar CBC. Madadin haka, ana amfani da ƙarin AES mai dorewa da ChaCha20.
KYAUTA
Ɗayan farkon harin SSL da TLS 1.0, wanda aka gano a cikin 2011. Kamar POODLE, BEAST fasali na ɓoyewar CBC. Mahara suna shigar da wakili na JavaScript ko applet Java akan injin abokin ciniki, wanda ke maye gurbin saƙon lokacin aika bayanai akan TLS ko SSL. Tun da maharan sun san abubuwan da ke cikin fakitin “dummy”, za su iya amfani da su don ɓata vector ɗin farawa da karanta wasu saƙonni zuwa uwar garken, kamar kukis na tantancewa.
Har zuwa yau, raunin BEAST ya kasance : Sabar wakili da aikace-aikace don kare ƙofofin Intanet na gida.
Yadda zaka kare kanka. Maharin yana buƙatar aika buƙatun yau da kullun don ɓata bayanan. A cikin VMware rage lokacin SSLSessionCacheTimeout daga mintuna biyar (shawarar tsoho) zuwa daƙiƙa 30. Wannan hanya za ta sa maharan su iya aiwatar da shirye-shiryensu da wahala, kodayake zai yi wani mummunan tasiri akan aikin. Bugu da kari, kuna buƙatar fahimtar cewa raunin BEAST na iya zama abin da ya gabata da kansa - tun daga 2020, manyan masu bincike. goyon bayan TLS 1.0 da 1.1. A kowane hali, ƙasa da 1,5% na duk masu amfani da burauzar suna aiki tare da waɗannan ka'idoji.
SHAWA
Wannan harin giciye ne wanda ke yin amfani da kwari a aiwatar da SSLv2 tare da maɓallan RSA 40-bit. Maharin yana sauraron ɗaruruwan hanyoyin haɗin TLS na manufa kuma ya aika fakiti na musamman zuwa sabar SSLv2 ta amfani da maɓallin keɓaɓɓen maɓalli iri ɗaya. Amfani , dan gwanin kwamfuta na iya ɓata ɗayan kusan zaman TLS abokin ciniki dubu.
DROWN ya fara zama sananne a cikin 2016 - sannan ya zama a duniya. A yau bai rasa dacewa ba. Daga cikin shahararrun shafuka dubu 150, 2% har yanzu suna nan SSLv2 da hanyoyin ɓoye ɓoyayye masu rauni.
Yadda zaka kare kanka. Ya zama dole a shigar da facin da masu haɓaka ɗakunan karatu na sirri suka gabatar waɗanda ke kashe tallafin SSLv2. Misali, an gabatar da irin waɗannan faci guda biyu don OpenSSL (a cikin 2016 1.0.1s da 1.0.2g). Hakanan, an buga sabuntawa da umarni don kashe ƙa'idar mai rauni a ciki , , .
"Wani hanya na iya zama mai rauni ga DROWN idan uwar garken ɓangare na uku ke amfani da maɓallan sa tare da SSLv2, kamar sabar saƙo," in ji shugaban sashen haɓakawa. Sergei Belkin. - Wannan yanayin yana faruwa idan yawancin sabobin suna amfani da takardar shaidar SSL ta gama gari. A wannan yanayin, kuna buƙatar kashe tallafin SSLv2 akan duk injina."
Kuna iya bincika ko ana buƙatar sabunta tsarin ku ta amfani da na musamman - kwararrun tsaro na bayanai ne suka kirkiro shi wanda suka gano DROWN. Kuna iya karanta ƙarin game da shawarwarin da suka shafi kariya daga irin wannan harin a ciki .
Ajiyar zuciya
Ɗaya daga cikin manyan lahani a cikin software shine . An gano shi a cikin 2014 a cikin ɗakin karatu na OpenSSL. A lokacin sanarwar bug, adadin gidajen yanar gizo masu rauni - wannan shine kusan 17% na albarkatu masu kariya akan hanyar sadarwa.
Ana aiwatar da harin ta hanyar ƙaramin tsarin tsawaitawa na Heartbeat TLS. Ka'idar TLS tana buƙatar a ci gaba da watsa bayanai. Idan akwai tsawaita lokacin hutu, hutu yana faruwa kuma dole ne a sake kafa haɗin. Don jimre wa matsalar, sabobin da abokan ciniki ta hanyar “hayaniyar” ta hanyar artificially), watsa fakiti na tsawon bazuwar. Idan ya fi duk fakiti girma, to, nau'ikan OpenSSL masu rauni sun karanta ƙwaƙwalwar ajiya fiye da abin da aka keɓe. Wannan yanki zai iya ƙunsar kowane bayanai, gami da maɓallan ɓoyayyen sirri da bayanai game da wasu haɗin kai.
Rashin lahani ya kasance a cikin duk nau'ikan ɗakin karatu tsakanin 1.0.1 da 1.0.1f wanda ya haɗa da 12.04.4f, haka kuma a cikin adadin tsarin aiki - Ubuntu har zuwa 6.5, CentOS wanda ya girmi 5.3, OpenBSD XNUMX da sauransu. Akwai cikakken lissafi . Ko da yake an fitar da faci game da wannan raunin kusan nan da nan bayan gano shi, matsalar ta ci gaba da kasancewa har zuwa yau. Komawa cikin 2017 , mai saurin kamuwa da Zuciya.
Yadda zaka kare kanka. Dole ne har zuwa sigar 1.0.1g ko sama. Hakanan zaka iya kashe buƙatun bugun zuciya da hannu ta amfani da zaɓin DOPENSL_NO_HEARTBEATS. Bayan sabuntawa, kwararrun tsaro na bayanai sake fitar da takaddun shaida na SSL. Ana buƙatar maye gurbin idan bayanan da ke kan maɓallan ɓoye ya ƙare a hannun masu satar bayanai.
Canjin takardar shaida
An shigar da kumburin da aka sarrafa tare da halaltacciyar takardar shaidar SSL tsakanin mai amfani da uwar garken, yana hana zirga-zirga. Wannan kumburin yana kwaikwayon halaltacciyar uwar garken ta hanyar gabatar da takaddun shaida, kuma yana yiwuwa a kai harin MITM.
A cewar ƙungiyoyin Mozilla, Google da jami'o'i da yawa, kusan kashi 11% na amintattun hanyoyin haɗin yanar gizo ana sauraron su. Wannan shi ne sakamakon shigar da shakku na tushen takaddun shaida akan kwamfutocin masu amfani.
Yadda zaka kare kanka. Yi amfani da sabis na abin dogaro . Kuna iya bincika "ingancin" takaddun shaida ta amfani da sabis ɗin (CT). Masu samar da gajimare kuma za su iya taimakawa tare da gano saƙon saƙo; wasu manyan kamfanoni sun riga sun ba da kayan aiki na musamman don sa ido kan haɗin TLS.
Wata hanyar kariya za ta zama sabuwar ACME, wanda ke sarrafa karɓar takaddun shaida na SSL. A lokaci guda, zai ƙara ƙarin hanyoyin tabbatar da mai shafin. Ƙari game da shi .
/flickr/ / CC BY
Abubuwan da ake buƙata don HTTPS
Duk da rashin lahani da yawa, ƙwararrun IT da ƙwararrun tsaro na bayanai suna da kwarin gwiwa a nan gaba na yarjejeniya. Don aiwatar da HTTPS mai aiki WWW mahaliccin Tim Berners-Lee. A cewarsa, bayan lokaci TLS za ta zama mafi aminci, wanda zai inganta ingantaccen tsaro na haɗin gwiwa. Berners-Lee ma ya ba da shawarar hakan takaddun shaida na abokin ciniki don tantancewa. Za su taimaka inganta kariyar uwar garke daga maharan.
Hakanan ana shirin haɓaka fasahar SSL/TLS ta amfani da na'ura koyo - algorithms masu wayo za su kasance da alhakin tace zirga-zirgar ɓarna. Tare da haɗin HTTPS, masu gudanarwa ba su da hanyar gano abubuwan da ke cikin saƙon da aka ɓoye, gami da gano buƙatun malware. Tuni a yau, cibiyoyin sadarwar jijiyoyi suna da ikon tace fakiti masu haɗari tare da daidaito 90%. ().
binciken
Yawancin hare-hare akan HTTPS ba su da alaƙa da matsaloli tare da yarjejeniya kanta, amma don tallafawa hanyoyin ɓoye bayanan da suka gabata. Masana'antar IT ta fara yin watsi da ka'idoji na ƙarni na baya a hankali tare da ba da sabbin kayan aiki don neman lahani. A nan gaba, waɗannan kayan aikin za su zama masu hankali.
Ƙarin hanyoyin haɗi akan batun:
source: www.habr.com