Peb txheeb xyuas cov kev xav txog cov yam ntxwv ntawm DNS dhau HTTPS, uas nyuam qhuav dhau los ua "pob txha ntawm kev sib cav" ntawm cov neeg muab kev pabcuam hauv Is Taws Nem thiab browser tsim tawm.
/unsplash/
Lub ntsiab ntawm qhov kev tsis pom zoo
Lately ΠΈ (xws li Habr), lawv feem ntau sau txog DNS dhau HTTPS (DoH) raws tu qauv. Nws encrypts thov rau DNS server thiab teb rau lawv. Txoj hauv kev no tso cai rau koj los nkaum cov npe ntawm cov tswv tsev uas tus neeg siv nkag mus. Los ntawm cov ntawv tshaj tawm peb tuaj yeem xaus tias cov txheej txheem tshiab (hauv IETF xyoo 2018) muab faib rau IT zej zog ua ob lub chaw pw hav zoov.
Ib nrab ntseeg tias txoj cai tshiab yuav txhim kho kev ruaj ntseg hauv Is Taws Nem thiab tab tom siv rau hauv lawv cov ntawv thov thiab cov kev pabcuam. Lwm ib nrab yog ntseeg hais tias technology tsuas yog ua rau txoj hauj lwm ntawm cov neeg khiav dej num nyuaj. Tom ntej no, peb yuav txheeb xyuas qhov kev sib cav ntawm ob tog.
Yuav ua li cas DoH ua haujlwm
Ua ntej peb nkag mus rau vim li cas ISPs thiab lwm tus neeg koom nrog kev lag luam yog rau lossis tawm tsam DNS dhau HTTPS, cia peb saib luv luv ntawm nws ua haujlwm li cas.
Nyob rau hauv rooj plaub ntawm DoH, qhov kev thov los txiav txim qhov chaw nyob IP yog encapsulated hauv HTTPS tsheb. Nws mam li mus rau HTTP server, qhov twg nws tau ua tiav siv API. Nov yog ib qho piv txwv thov los ntawm RFC 8484 ():
:method = GET
:scheme = https
:authority = dnsserver.example.net
:path = /dns-query?
dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl
bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z
dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ
accept = application/dns-message
Yog li, DNS tsheb tau muab zais hauv HTTPS tsheb. Cov neeg siv khoom thiab cov neeg rau zaub mov sib txuas lus hla tus qauv chaw nres nkoj 443. Yog li ntawd, kev thov rau lub npe sau npe tseem tsis qhia npe.
Vim li cas nws tsis nyiam?
Cov neeg tawm tsam ntawm DNS dhau HTTPS tias txoj cai tshiab yuav txo qhov kev ruaj ntseg ntawm kev sib txuas. Los ntawm Paul Vixie, tus tswvcuab ntawm pab pawg txhim kho DNS, yuav ua rau nws nyuaj rau cov thawj coj tswj hwm los thaiv cov chaw uas muaj kev phem. Cov neeg siv ib txwm yuav poob lub peev xwm los teeb tsa kev tswj hwm niam txiv raws cai hauv browsers.
Paul txoj kev xav tau qhia los ntawm UK cov chaw muab kev pabcuam hauv internet. Lub teb chaws txoj cai thaiv lawv los ntawm cov peev txheej nrog cov ntsiab lus txwv. Tab sis kev txhawb nqa rau DoH hauv browsers nyuaj rau txoj haujlwm ntawm kev lim tsheb. Cov neeg thuam ntawm cov txheej txheem tshiab kuj suav nrog Tsoomfwv Kev Sib Txuas Lus hauv Tebchaws Askiv () thiab Internet Watch Foundation (), uas tuav ib qho kev sau npe ntawm cov kev pab cuam thaiv.
Hauv peb qhov blog ntawm Habre:
Cov kws tshaj lij sau tseg tias DNS dhau HTTPS tuaj yeem dhau los ua kev hem thawj cybersecurity. Thaum pib Lub Xya Hli, cov kws paub txog kev ruaj ntseg cov ntaub ntawv los ntawm Netlab thawj tus kab mob uas siv cov txheej txheem tshiab los ua DDoS tawm tsam - . Cov malware nkag mus rau DoH kom tau txais cov ntaub ntawv sau tseg (TXT) thiab rho tawm cov lus txib thiab tswj cov servers URLs.
Encrypted DoH thov tsis tau lees paub los ntawm software antivirus. Cov kws paub txog kev ruaj ntseg cov ntaub ntawv tias tom qab Godlua lwm yam malware yuav tuaj, pom tsis tau rau kev saib xyuas DNS passive.
Tab sis tsis yog txhua tus neeg tawm tsam nws
Hauv kev tiv thaiv DNS dhau HTTPS ntawm nws blog APNIC engineer Geoff Houston. Raws li nws, tus txheej txheem tshiab yuav pab tiv thaiv DNS hijacking tawm tsam, uas tau dhau los ua ntau yam tsis ntev los no. Qhov tseeb no Lub Ib Hlis tsab ntawv ceeb toom los ntawm cybersecurity tuam txhab FireEye. Cov tuam txhab IT loj kuj tau txhawb nqa kev tsim kho raws tu qauv.
Thaum pib ntawm xyoo tas los, DoH pib sim ntawm Google. Thiab ib lub hlis dhau los lub tuam txhab General Availability version ntawm nws cov kev pabcuam DoH. Hauv Google , hais tias nws yuav ua rau kom muaj kev ruaj ntseg ntawm tus kheej cov ntaub ntawv nyob rau hauv lub network thiab tiv thaiv tawm tsam MITM.
Lwm tus tsim tawm browser - Mozilla - DNS dhau HTTPS txij lub caij ntuj sov dhau los. Nyob rau tib lub sijhawm, lub tuam txhab tau nquag txhawb nqa cov thev naus laus zis tshiab hauv IT ib puag ncig. Rau qhov no, Internet Services Providers Association (ISPA) Mozilla rau Internet Villain of the Year Award. Hauv kev teb, cov neeg sawv cev ntawm tuam txhab , uas ntxhov siab los ntawm kev tsis txaus siab ntawm cov neeg ua haujlwm hauv xov tooj los txhim kho lawv cov txheej txheem Internet tsis tu ncua.
/unsplash/
Hauv kev txhawb nqa ntawm Mozilla thiab qee tus neeg muab kev pabcuam hauv Internet. Tshwj xeeb, ntawm British Telecom tias cov txheej txheem tshiab yuav tsis cuam tshuam cov ntsiab lus lim thiab yuav txhim kho kev ruaj ntseg ntawm UK cov neeg siv. Nyob rau hauv pej xeem siab ISPA "neeg phem" nomination.
Cov chaw muab kev pabcuam huab kuj tau tawm tswv yim qhia txog DNS dhau HTTPS, piv txwv li . Lawv twb muab cov kev pabcuam DNS raws li txoj cai tshiab. Ib daim ntawv teev tag nrho ntawm browsers thiab cov neeg siv khoom txhawb nqa DoH muaj nyob ntawm .
Txawm li cas los xij, tseem tsis tau hais txog qhov kawg ntawm kev sib cav sib ceg ntawm ob lub chaw pw hav zoov. Cov kws tshaj lij IT kwv yees tias yog DNS dhau HTTPS yog lub hom phiaj los ua ib feem ntawm cov khoom siv thev naus laus zis hauv Is Taws Nem, nws yuav siv sijhawm. .
Dab tsi ntxiv peb sau txog hauv peb cov tuam txhab blog:
Tau qhov twg los: www.hab.com