A ranar 30 ga Satumba a 17:01 lokacin Moscow, IdenTrust tushen takardar shaidar (DST Tushen CA X3), wanda aka yi amfani da shi don ketare-sa hannu kan tushen takaddun shaida na Let's Encrypt certification Authority (ISRG Tushen X1), wanda al'umma ke sarrafawa da kuma yana ba da takaddun shaida kyauta ga kowa, ya ƙare. Sa hannu kan giciye ya tabbatar da cewa an amince da takaddun shaida na Mu Encrypt a cikin kewayon na'urori, tsarin aiki, da masu bincike yayin da Mu Encrypt nasa tushen takaddun shaida ya haɗa cikin shagunan takaddun shaida.
Tun da farko an shirya cewa bayan raguwar DST Root CA X3, aikin Let's Encrypt zai canza zuwa samar da sa hannu ta amfani da takaddun tushen sa kawai, amma irin wannan motsi zai haifar da asarar daidaituwa tare da adadi mai yawa na tsofaffin tsarin da ba su yi ba. ƙara da Let's Encrypt tushen takardar shaidar zuwa ma'ajiyar su. Musamman, kusan kashi 30% na na'urorin Android da ake amfani da su ba su da bayanai akan takaddun shaida na Bari mu Encrypt, tallafi wanda ya bayyana kawai yana farawa da dandamali na Android 7.1.1, wanda aka saki a ƙarshen 2016.
Bari mu Encrypt bai yi shirin shiga sabuwar yarjejeniya ta rattaba hannu ba, saboda wannan yana sanya ƙarin nauyi a kan ɓangarorin da ke cikin yarjejeniyar, ya hana su 'yancin kai da kuma ɗaure hannayensu dangane da bin duk hanyoyin da ka'idoji na wata hukuma ta takaddun shaida. Amma saboda yuwuwar matsaloli akan ɗimbin na'urorin Android, an sake fasalin shirin. An ƙaddamar da sabuwar yarjejeniya tare da ikon ba da takaddun shaida na IdenTrust, a cikin tsarin wanda aka ƙirƙiri wata madaidaicin sa hannu a kan haɗe-haɗe Bari mu Encrypt matsakaici. Sa hannu kan giciye zai yi aiki na tsawon shekaru uku kuma zai ci gaba da tallafawa na'urorin Android waɗanda ke farawa da sigar 2.3.6.
Koyaya, sabuwar satifiket ɗin ba ta ƙunshi sauran tsarin gado da yawa ba. Misali, lokacin da takardar shaidar DST Tushen CA X3 ta ƙare ranar 30 ga Satumba, ba za a ƙara karɓar takaddun shaida ba a kan firmware mara tallafi da tsarin aiki waɗanda ke buƙatar ƙara takardar shaidar ISRG Tushen X1 da hannu zuwa kantin tushen takaddun shaida don tabbatar da dogaro ga Takaddun shaida Bari Mu Encrypt. . Matsaloli za su bayyana a cikin:
- Buɗe SSL har zuwa reshe 1.0.2 wanda ya haɗa (an daina kula da reshe 1.0.2 a cikin Disamba 2019);
- NSS <3.26;
- Java 8 <8u141, Java 7 <7u151;
- Windows < XP SP3;
- macOS <10.12.1;
- iOS <10 (iPhone <5);
- Android <2.3.6;
- Mozilla Firefox < 50;
- Ubuntu <16.04;
- Debian <8.
A cikin yanayin OpenSSL 1.0.2, matsalar tana faruwa ne ta hanyar kwaro da ke hana takaddun takaddun da aka sa hannu daidai a sarrafa su daidai idan ɗaya daga cikin tushen takaddun shaida da aka yi amfani da shi don sa hannu ya ƙare, ko da sauran ingantattun sarƙoƙi na amana. Matsalar ta fara bayyana a bara bayan da takardar shaidar AddTrust da aka yi amfani da ita don ketare alamar takaddun shaida daga Sectigo (Comodo). Babban matsalar ita ce OpenSSL ta rarraba takardar shaidar azaman sarkar layi, yayin da bisa ga RFC 4158, takaddun shaida na iya wakiltar da'irar da'irar da aka ba da umarni tare da amintattun amintattu da yawa waɗanda ke buƙatar yin la'akari.
Ana ba masu amfani da tsofaffin rabawa dangane da OpenSSL 1.0.2 ana ba su hanyoyi guda uku don magance matsalar:
- Da hannu cire IdenTrust DST Tushen CA X3 tushen takardar shaidar kuma shigar da tsaye-shi kadai (ba giciye-sa hannu) ISRG Tushen X1 tushen takardar shaidar.
- Lokacin kunna openssl verify da umarnin s_client, zaku iya tantance zaɓin "--trusted_first".
- Yi amfani da kan uwar garke takardar shedar ta wata takardar shaidar tushen daban SRG Tushen X1, wacce ba ta da sa hannun giciye. Wannan hanyar za ta haifar da asarar dacewa da tsofaffin abokan cinikin Android.
Bugu da ƙari, za mu iya lura cewa aikin Let's Encrypt ya shawo kan ci gaban da aka samu na takaddun shaida biliyan biyu. An cimma wannan buri na biliyan daya a watan Fabrairun bara. Ana samar da sabbin takaddun shaida miliyan 2.2-2.4 kowace rana. Adadin takaddun takaddun aiki shine miliyan 192 (takaddun shaida yana aiki na tsawon watanni uku) kuma yana rufe kusan yanki miliyan 260 (an rufe yanki miliyan 195 shekara guda da ta gabata, miliyan 150 shekaru biyu da suka gabata, miliyan 60 shekaru uku da suka gabata). Dangane da kididdiga daga sabis na Telemetry na Firefox, rabon buƙatun shafi na duniya ta hanyar HTTPS shine 82% (shekara ɗaya da ta gabata - 81%, shekaru biyu da suka gabata - 77%, shekaru uku da suka gabata - 69%, shekaru huɗu da suka gabata - 58%).
source: budenet.ru