Domin mai bincike don tantance gidan yanar gizon, yana gabatar da kansa tare da ingantacciyar sarkar satifiket. Ana nuna sarka ta yau da kullun a sama, kuma ana iya samun takardar shaidar matsakaici fiye da ɗaya. Matsakaicin adadin takaddun shaida a cikin sarka mai inganci uku ne.
Tushen takardar shaidar ita ce zuciyar hukumar takardar shaidar. An gina shi a zahiri a cikin OS ko browser ɗin ku, yana nan a zahiri akan na'urar ku. Ba za a iya canza shi daga bangaren uwar garken ba. Ana buƙatar sabunta tilastawa na OS ko firmware akan na'urar.
Masanin tsaro Scott Helme , cewa manyan matsalolin za su taso tare da ikon ba da izini na Mu Encrypt, saboda a yau ita ce mafi mashahuri CA akan Intanet, kuma tushen takardar shaidarsa ba da daɗewa ba zai yi kyau. Canza Tushen Bari Mu Encrypt .
Takaddun shaida na ƙarshe da matsakaici na ikon tabbatarwa (CA) ana isar da su ga abokin ciniki daga uwar garken, kuma tushen takardar shaidar daga abokin ciniki ne. ya riga ya, don haka tare da wannan tarin takaddun shaida za a iya gina sarkar da kuma tabbatar da gidan yanar gizon.
Matsalar ita ce kowace takardar shaidar tana da ranar karewa, bayan haka ana buƙatar canza ta. Misali, daga ranar 1 ga Satumba, 2020, suna shirin gabatar da iyakance akan lokacin ingancin takaddun shaida na uwar garken TLS a cikin mai binciken Safari. .
Wannan yana nufin cewa dukkanmu za mu maye gurbin takaddun shaida na uwar garken aƙalla kowane watanni 12. Wannan ƙuntatawa ya shafi takaddun shaida na uwar garken kawai; shi ba ya shafi tushen CA takaddun shaida.
Takaddun shaida na CA ana sarrafa su ta wani tsari na daban don haka suna da iyakokin inganci daban-daban. Ya zama ruwan dare don nemo takaddun shaida na tsaka-tsaki tare da ingantaccen lokacin shekaru 5 da takaddun takaddun tushe tare da rayuwar sabis na ko da shekaru 25!
Yawancin lokaci babu matsala tare da takaddun shaida na matsakaici, saboda ana ba da su ga abokin ciniki ta hanyar uwar garken, wanda kanta yana canza takardar shaidarsa sau da yawa, don haka kawai ya maye gurbin matsakaici a cikin tsari. Yana da sauƙin maye gurbin shi tare da takardar shaidar uwar garke, sabanin tushen takardar shaidar CA.
Kamar yadda muka riga muka fada, tushen CA an gina shi kai tsaye a cikin na'urar abokin ciniki kanta, cikin OS, browser ko wasu software. Canza tushen CA ya wuce ikon gidan yanar gizon. Wannan yana buƙatar sabuntawa akan abokin ciniki, kasancewa OS ko sabunta software.
Wasu tushen CA sun kasance na dogon lokaci, muna magana game da shekaru 20-25. Ba da daɗewa ba wasu tsofaffin tushen CA za su kusanci ƙarshen rayuwarsu, lokacin su ya kusan ƙare. Ga yawancin mu wannan ba zai zama matsala ba kwata-kwata saboda CAs sun ƙirƙiri sababbin takaddun shaida kuma an rarraba su a duk duniya a cikin OS da sabuntawar bincike na shekaru masu yawa. Amma idan wani bai sabunta OS ko browser cikin dogon lokaci ba, yana da irin matsala.
Wannan lamarin ya faru ne a ranar 30 ga Mayu, 2020 da karfe 10:48:38 GMT. Wannan shine ainihin lokacin da daga Hukumar ba da takaddun shaida ta Comodo (Sectigo).
An yi amfani da shi don rattaba hannu don tabbatar da dacewa tare da na'urorin gado waɗanda ba su da sabuwar takardar shaidar tushen USERTrust a cikin shagonsu.
Abin takaici, matsalolin sun taso ba kawai a cikin masu bincike na gado ba, har ma a cikin abokan cinikin da ba na browser ba bisa OpenSSL 1.0.x, LibreSSL da . Misali, a cikin akwatunan saiti , hidima , a cikin Fortinet, Chargify aikace-aikace, akan dandalin NET Core 2.0 don Linux da .
An yi zaton cewa matsalar za ta shafi tsarin gado ne kawai (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, da dai sauransu), tunda masu binciken zamani na iya amfani da takardar shaidar tushe ta USERTRust ta biyu. Amma a zahiri, an fara gazawa a ɗaruruwan ayyukan gidan yanar gizo waɗanda suka yi amfani da ɗakunan karatu na OpenSSL 1.0.x da GnuTLS kyauta. Ba za a iya sake kafa amintaccen haɗi tare da saƙon kuskure da ke nuna cewa takardar shedar ta ƙare ba.
Na gaba - Bari Mu Encrypt
Wani kyakkyawan misali na canjin tushen CA mai zuwa shine ikon Takaddar Mu Encrypt. Kara sun shirya canjawa daga sarkar Identrust zuwa sarkar Tushen ISRG nasu, amma wannan .
"Saboda damuwa game da rashin ɗaukar tushen ISRG akan na'urorin Android, mun yanke shawarar matsar da asalin asalin canjin ranar daga Yuli 8, 2019 zuwa Yuli 8, 2020," in ji Mu Encrypt a cikin wata sanarwa.
Dole ne a jinkirta kwanan wata saboda matsala da ake kira "tushen yaduwa", ko kuma mafi daidai, rashin yaduwar tushen, lokacin da tushen CA ba a yadu sosai a duk abokan ciniki.
Bari mu Encrypt a halin yanzu yana amfani da takardar shaidar tsaka-tsaki mai rattaba hannu da aka ɗaure zuwa IdenTrust DST Tushen CA X3. An bayar da wannan takardar shaidar tushe a cikin Satumba 2000 kuma ta ƙare ranar 30 ga Satumba, 2021. Har sai lokacin, Bari mu Encrypt yana shirin yin ƙaura zuwa ISRG Tushen X1 mai sa hannun kansa.
Tushen ISRG ya fito a ranar 4 ga Yuni, 2015. Bayan haka, tsarin amincewa da shi a matsayin hukumar ba da takardar shaida ya fara, wanda ya ƙare . Daga wannan gaba, tushen CA yana samuwa ga duk abokan ciniki ta hanyar tsarin aiki ko sabunta software. Duk abin da za ku yi shine shigar da sabuntawa.
Amma wannan ita ce matsalar.
Idan wayar hannu, TV ko wata na'urar ba a sabunta ta tsawon shekaru biyu ba, ta yaya za ta san game da sabuwar takardar shaidar tushen ISRG Tushen X1? Idan kuma ba ku sanya shi a kan tsarin ba, to, na'urar ku za ta lalata duk takaddun shaida na Let's Encrypt server da zaran Bari mu Encrypt ya canza zuwa sabon tushe. Kuma a cikin yanayin yanayin Android akwai na'urori da yawa da suka tsufa waɗanda ba a daɗe da sabunta su ba.
Android muhalli
Wannan shine dalilin da ya sa Bari Mu Encrypt ya jinkirta motsawa zuwa tushen ISRG kuma har yanzu yana amfani da matsakaici wanda ya gangara zuwa tushen IdenTrust. Amma za a yi sauyi a kowane hali. Kuma an sanya ranar canjin tushen .
Don duba cewa an shigar da tushen ISRG X1 akan na'urarka (TV, akwatin saiti ko wani abokin ciniki), buɗe shafin gwajin. . Idan babu gargadin tsaro ya bayyana, to komai yawanci yana da kyau.
Bari mu Encrypt ba shine kaɗai ke fuskantar ƙalubalen ƙaura zuwa sabon tushe ba. An fara amfani da bayanan sirri a Intanet sama da shekaru 20 da suka gabata, don haka yanzu ne lokacin da yawancin takaddun shaida ke gab da ƙarewa.
Masu mallakar TV masu wayo waɗanda ba su sabunta software na Smart TV tsawon shekaru ba na iya fuskantar wannan matsalar. Misali, sabon tushen GlobalSign An sake shi a cikin 2012, kuma bayan wasu tsofaffin Smart TVs ba za su iya gina sarkar da shi ba, saboda kawai ba su da wannan tushen CA. Musamman, waɗannan abokan cinikin sun kasa kafa amintacciyar hanyar sadarwa zuwa gidan yanar gizon bbc.co.uk. Don magance matsalar, masu gudanar da BBC sun yi amfani da dabara: su ta hanyar ƙarin takaddun shaida na matsakaici, ta amfani da tsoffin tushen и , wanda har yanzu bai lalace ba.
www.bbc.co.uk (Leaf) GlobalSign ECC OV SSL CA 2018 (Matsakaici) GlobalSign Tushen CA - R5 (Matsakaici) GlobalSign Tushen CA - R3 (Matsakaici)
Wannan mafita ce ta wucin gadi. Matsalar ba za ta tafi ba sai kun sabunta software na abokin ciniki. TV mai kaifin baki shine ainihin kwamfuta mai iyakantaccen aiki mai aiki da Linux. Kuma ba tare da sabuntawa ba, babu makawa tushen takaddun shaida za su lalace.
Wannan ya shafi duk na'urori, ba kawai TV ba. Idan kana da wata na'ura da ke da alaƙa da Intanet kuma aka yi tallata a matsayin na'urar "mai wayo", to tabbas matsalar ruɓaɓɓen takaddun shaida ta shafe ta. Idan ba a sabunta na'urar ba, tushen CA kantin sayar da zai zama tsohon lokaci kuma a ƙarshe matsalar za ta bayyana. Ta yaya matsalar ke faruwa ya dogara da lokacin da aka sabunta tushen tushen. Wannan na iya zama shekaru da yawa kafin ainihin ranar saki na'urar.
Af, wannan ita ce matsalar da ya sa wasu manyan kafofin watsa labaru ba za su iya amfani da hukumomin takaddun shaida na zamani kamar Let's Encrypt, in ji Scott Helme. Ba su dace da talabijin masu wayo ba, kuma adadin tushen ya yi ƙanƙanta don tabbatar da tallafin takaddun shaida akan na'urorin gado. In ba haka ba, TV kawai ba zai iya ƙaddamar da ayyukan yawo na zamani ba.
Sabon abin da ya faru tare da AddTrust ya nuna cewa ko da manyan kamfanonin IT ba su shirya don gaskiyar cewa tushen takardar shaidar ya ƙare ba.
Akwai mafita ɗaya kawai ga matsalar - sabuntawa. Masu haɓaka na'urori masu wayo dole ne su samar da hanyar sabunta software da takaddun shaida a gaba. A gefe guda, ba shi da riba ga masana'antun su tabbatar da aiki na na'urorin su bayan wa'adin garanti ya kare.
source: www.habr.com