GitHub ya yanke shawarar dakatar da tallafi ga TLS 1.0 da 1.1 a cikin ma'ajiyar kunshin NPM da duk rukunin yanar gizon da ke da alaƙa da mai sarrafa fakitin NPM, gami da npmjs.com. Farawa Oktoba 4, haɗawa zuwa ma'ajiyar, gami da shigar da fakiti, zai buƙaci abokin ciniki wanda ke goyan bayan aƙalla TLS 1.2. A kan GitHub kanta, an dakatar da tallafin TLS 1.0/1.1 a cikin Fabrairu 2018. An ce manufar ita ce damuwa ga tsaron ayyukanta da kuma sirrin bayanan mai amfani. A cewar GitHub, kusan 99% na buƙatun zuwa ma'ajiyar NPM an riga an yi amfani da TLS 1.2 ko 1.3, kuma Node.js ya haɗa da tallafi ga TLS 1.2 tun daga 2013 (tun lokacin da aka saki 0.10), don haka canjin zai shafi ɗan ƙaramin yanki ne kawai. masu amfani.
Bari mu tuna cewa IETF (Taskar Injiniya ta Intanet) an rarraba ka'idojin TLS 1.0 da 1.1 a matsayin fasahohin da ba a gama ba a hukumance. An buga ƙayyadaddun TLS 1.0 a cikin Janairu 1999. Shekaru bakwai bayan haka, an fitar da sabuntawar TLS 1.1 tare da inganta tsaro masu alaƙa da haɓakar ƙwaƙƙwaran ƙaddamarwa da padding. Daga cikin manyan matsalolin TLS 1.0 / 1.1 shine rashin tallafi ga ciphers na zamani (misali, ECDHE da AEAD) da kasancewar ƙayyadaddun abin da ake buƙata don tallafawa tsofaffin sifofi, wanda ake tambayar amincinsa a halin yanzu. haɓaka fasahar ƙididdiga (misali, tallafi ga TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA ana buƙatar don bincika amincin da tabbatarwa yana amfani da MD5 da SHA-1). Taimakawa ga tsoffin algorithms sun riga sun haifar da hare-hare kamar ROBOT, DROWN, BEAST, Logjam da FREAK. Koyaya, ba a yi la'akari da waɗannan matsalolin kai tsaye ga raunin yarjejeniya ba kuma an warware su a matakin aiwatar da su. Ka'idojin TLS 1.0/1.1 da kansu ba su da lahani masu mahimmanci waɗanda za a iya amfani da su don kai hare-hare masu amfani.
source: budenet.ru