China duk haɗin HTTPS da ke amfani da ƙa'idar TLS 1.3 da ESNI (Ƙarar Sunan Sabis na Sunan Rubutun) TLS tsawo, wanda ke ba da ɓoye bayanan game da mai masaukin da aka nema. Ana aiwatar da toshewa a kan hanyoyin zirga-zirgar ababen hawa biyu don haɗin da aka kafa daga China zuwa duniyar waje, da kuma daga waje zuwa China.
Ana yin toshewa ta hanyar jefa fakiti daga abokin ciniki zuwa uwar garken, maimakon maye gurbin fakitin RST wanda SNI mai zaɓin abun ciki ya yi a baya. Bayan toshe fakiti tare da ESNI an kunna, duk fakitin hanyar sadarwa da suka dace da haɗin tushen IP, adireshin IP da lambar tashar tashar jiragen ruwa kuma ana toshe su na daƙiƙa 120 zuwa 180. Ana ba da izinin haɗin HTTPS bisa tsofaffin nau'ikan TLS da TLS 1.3 ba tare da ESNI ba kamar yadda aka saba.
Bari mu tuna cewa don tsara aiki a kan adireshin IP guda ɗaya na shafukan HTTPS da yawa, an haɓaka SNI tsawo, wanda ke watsa sunan mai watsa shiri a cikin rubutu mai haske a cikin saƙon ClientHello da aka watsa kafin shigar da tashar sadarwa mai ɓoye. Wannan fasalin yana ba da damar a gefen mai ba da Intanet don zaɓin tace zirga-zirgar HTTPS da bincika wuraren da mai amfani ya buɗe, wanda baya ba da damar samun cikakkiyar sirri yayin amfani da HTTPS.
Sabuwar fadada TLS ECH (tsohon ESNI), wanda za'a iya amfani dashi tare da TLS 1.3, yana kawar da wannan gazawar kuma gaba daya yana kawar da kwararar bayanai game da rukunin yanar gizon da ake buƙata yayin nazarin haɗin HTTPS. A haɗe tare da samun dama ta hanyar hanyar sadarwar isar da abun ciki, amfani da ECH/ESNI kuma yana ba da damar ɓoye adireshin IP na albarkatun da ake buƙata daga mai bayarwa. Tsarukan binciken ababen hawa za su ga buƙatun CDN ne kawai kuma ba za su iya yin amfani da toshewa ba tare da ɓata lokaci na TLS ba, a cikin wannan yanayin za a nuna sanarwar da ta dace game da zubar da takardar shedar a cikin mai binciken mai amfani. DNS ya kasance tashar tasha mai yuwuwa, amma abokin ciniki na iya amfani da DNS-over-HTTPS ko DNS-over-TLS don ɓoye damar DNS ta abokin ciniki.
Masu bincike sun rigaya Akwai hanyoyi da yawa don ƙetare shingen Sinawa a gefen abokin ciniki da uwar garken, amma suna iya zama marasa mahimmanci kuma yakamata a yi la'akari da su azaman ma'auni na ɗan lokaci. Misali, a halin yanzu fakiti kawai tare da ESNI tsawo ID 0xffce (encrypted_server_name), wanda aka yi amfani dashi a ciki , amma a yanzu fakiti tare da mai ganowa na yanzu 0xff02 (encrypted_client_hello), wanda aka gabatar a ciki .
Wata hanyar warwarewa ita ce yin amfani da tsarin shawarwarin haɗin kai mara daidaituwa, alal misali, toshewa baya aiki idan an aika ƙarin fakitin SYN tare da lambar jeri marar kuskure a gaba, yin amfani da tutocin fakiti, aika fakiti tare da duka FIN da SYN. saitin tutoci, maye gurbin fakitin RST tare da adadin sarrafawa mara daidai ko aikawa kafin fara tattaunawar haɗin fakiti tare da tutocin SYN da ACK. An riga an aiwatar da hanyoyin da aka kwatanta a cikin nau'i na plugin don kayan aiki , don ƙetare hanyoyin tantancewa.
source: budenet.ru