Mozilla ta ba da sanarwar haɗa tallafi ga masu amfani da tsayayyen reshe na Firefox don tsarin ECH (Encrypted Client Hello), wanda ke ci gaba da haɓaka fasahar ESNI (Incrypted Server Name Indication) kuma an tsara shi don ɓoye bayanai game da sigogin zaman TLS. , kamar sunan yankin da ake nema. An ƙara lambar don aiki tare da ECH asali zuwa sakin Firefox 85, amma an kashe shi ta tsohuwa. A hankali Chrome ya fara haɗa da tallafin ECH farawa tare da sakin Chrome 115.
Tunda ban da haɗawa da uwar garken Bayanan yanki da aka nema suna yawo ta hanyar DNS. Don cikakken kariya, ban da ECH, dole ne ku yi amfani da DNS akan HTTPS ko DNS akan TLS don ɓoye zirga-zirgar DNS. Firefox ba za ta yi amfani da ECH ba tare da kunna DNS akan HTTPS a cikin saitunan ba. Kuna iya duba tallafin ECH a cikin burauzar ku akan wannan shafin.
Ɗaya daga cikin abubuwan da suka ba da damar tallafin ECH ta tsohuwa a cikin Firefox shine shigar da Cloudflare na tallafin ECH a cikin hanyar sadarwar sa ta isar da abun ciki kwanakin baya. A bangaren aiki, tunda bayanai game da rundunonin da ake buƙata lokacin amfani da ECH suna ɓoye daga bincike, tacewa da toshe wuraren da ba'a so ta amfani da Cloudflare CDN yanzu zai buƙaci toshe duk hanyar sadarwar Cloudflare, toshe duk buƙatun daga ECH, ko shirya tsangwama ta HTTPS ta amfani da takaddun tushen karya. akan tsarin mai amfani.
Da farko, don tsara aiki a kan adireshin IP ɗaya na shafukan HTTPS da yawa, an yi amfani da tsawo na TLS SNI, wanda aka nuna sunan wanda aka nema a cikin saƙon ClientHello da aka watsa kafin kafa tashar sadarwa mai ɓoye. Wannan fasalin ya ba da damar rarraba buƙatun a cikin runduna masu kama-da-wane a farkon matakin sarrafa haɗin gwiwa, amma kuma ya ba da damar a gefen ISP don zaɓin tace zirga-zirgar HTTPS da bincika wuraren da mai amfani ya buɗe, wanda bai ba da damar samun cikakken sirri lokacin amfani ba. HTTPS.
Don magance wannan matsalar da hana yaɗuwar bayanai game da rukunin yanar gizon da aka nema, an ba da shawarar tsawaita ESNI wanda ke aiwatar da ɓoyayyen bayanai tare da sunan mai masaukin baki. A yayin aiwatar da ESNI, an bayyana cewa tsarin da aka tsara bai ƙunshi duk hanyoyin da za a iya bi don yaɗuwar bayanan rundunar ba kuma amfani da shi bai isa ba don tabbatar da cikakken sirrin zaman HTTPS. Musamman, lokacin da aka ci gaba da zama da aka kafa a baya, sunan yankin a cikin madaidaicin rubutu ya ci gaba da bayyana shi a cikin ma'auni na PSK (Maɓallin Shared Pre-Share) TLS. Bugu da kari, yunƙurin aiwatar da ESNI ya gano daidaitawa da batutuwan da suka hana yaduwar ESNI.
Yin la'akari da gazawar ESNI, an ƙirƙiri sabon tsarin ECH na duniya wanda ke ba da damar ɓoye ma'aunin kowane kari na TLS. A fasaha, babban bambanci tsakanin ECH da ESNI shine cewa maimakon fage guda ɗaya, duk saƙon ClientHello yana ɓoye lokaci ɗaya. ECH ya ƙunshi raba ClientHello zuwa saƙonni guda biyu - rufaffen saƙon ClientHelloInner (SNI Inner) da saƙon ClientHelloOuter da ba a ɓoye ba (SNI Outer). SNI Outer wanda ba a ɓoye ba yana ɗaukar bayanan sirri kamar sigar TLS da jerin abubuwan da aka yi amfani da su, da kuma sunan yanki gama gari wanda bai zoba da ainihin sunan yankin da ake buƙata ba. Misali, ga duk abokan ciniki na Cloudflare, SNI Outer da ba a ɓoye ba ya ƙayyadad da mai watsa shiri gama gari "cloudflare-ech.com", amma ainihin sunan mai watsa shirye-shiryen da ake buƙata ana watsa shi a cikin rufaffen SNI Inner kuma baya samuwa don bincike.
ECH kuma tana amfani da wani tsarin rarraba maɓallan ɓoyewa daban: ana watsa bayanan maɓallan jama'a a cikin bayanan DNS na HTTPSVC maimakon bayanan TXT. Ana amfani da ingantaccen ɓoyewa na ƙarshe-zuwa-ƙarshe bisa ga tsarin HPKE (Hybrid Public Key Encryption) don samun da ɓoye maɓallin. ECH kuma yana goyan bayan sake aika maɓallan tsaro daga sabar, wanda za'a iya amfani da shi idan an juya maɓallan. uwar garke da kuma magance matsalolin dawo da tsoffin maɓallan daga cache na DNS.
source: budenet.ru
