Mozilla ta sanar da kammala bincike mai zaman kansa na software na abokin ciniki don haɗawa da sabis na Mozilla VPN. Binciken ya haɗa da nazarin aikace-aikacen abokin ciniki na tsaye wanda aka rubuta ta amfani da ɗakin karatu na Qt kuma akwai don Linux, macOS, Windows, Android da iOS. Mozilla VPN ana samun ƙarfi ta fiye da sabar 400 na mai ba da sabis na VPN na Sweden Mullvad, wanda ke cikin ƙasashe sama da 30. Ana haɗa haɗin kai zuwa sabis na VPN ta amfani da ka'idar WireGuard.
Cure53 ne ya gudanar da binciken, wanda a lokaci guda ya duba ayyukan NTPsec, SecureDrop, Cryptocat, F-Droid da Dovecot. Binciken ya ƙunshi tabbatar da lambobin tushe kuma ya haɗa da gwaje-gwaje don gano yiwuwar lahani (ba a yi la'akari da batutuwan da suka shafi cryptography ba). A yayin tantancewar, an gano batutuwan tsaro guda 16, 8 daga cikinsu shawarwari ne, 5 kuma an sanya musu karamin hadari, biyu kuma an sanya matsakaita, daya kuma an sanya babban hadarin.
Koyaya, batu ɗaya kawai tare da matsakaicin matsakaicin matsakaici an rarraba shi azaman rauni, tunda shine kaɗai aka yi amfani da shi. Wannan fitowar ta haifar da ɓarnar bayanan amfani da VPN a cikin lambar gano tashar yanar gizo saboda buƙatun HTTP da ba a ɓoye ba da aka aika a wajen rami na VPN, wanda ke bayyana adireshin IP na farko na mai amfani idan maharin na iya sarrafa zirga-zirgar ababen hawa. Ana magance matsalar ta hanyar kashe yanayin gano mashigai a cikin saitunan.
Matsala ta biyu ta matsananciyar tsananin tana da alaƙa da rashin ingantaccen tsaftacewa na ƙima mara ƙima a cikin tashar tashar jiragen ruwa, wanda ke ba da damar zubar da sigogin tantancewar OAuth ta hanyar maye gurbin lambar tashar jiragen ruwa tare da kirtani kamar "[email kariya]", wanda zai sa a sanya alamar[email kariya]/?code=..." alt=""> shiga misali.com maimakon 127.0.0.1.
Batu na uku, wanda aka yiwa alama a matsayin mai haɗari, yana ba da damar kowane aikace-aikacen gida ba tare da tantancewa ba don samun damar abokin ciniki na VPN ta hanyar WebSocket da ke ɗaure zuwa localhost. A matsayin misali, an nuna yadda, tare da abokin ciniki na VPN mai aiki, kowane rukunin yanar gizon zai iya tsara ƙirƙira da aika hoton allo ta hanyar samar da taron screen_capture. Ba a rarraba matsalar a matsayin rashin lahani ba, tun da WebSocket an yi amfani da shi ne kawai a cikin ginin gwajin ciki kuma an tsara amfani da wannan tashar sadarwa ne kawai a nan gaba don tsara hulɗa tare da mai bincike.
source: budenet.ru