Lub tuam txhab Mozilla hais txog qhov pib ntawm kev sim nyob rau hauv hmo ntuj tsim ntawm Firefox ib tug tshiab mechanism rau nrhiav tau tshem tawm daim ntawv pov thawj - . CRLite tso cai rau koj los txhim kho daim ntawv pov thawj kev tshem tawm zoo tiv thaiv cov ntaub ntawv khaws cia ntawm tus neeg siv lub cev. Kev siv Mozilla's CRLite raws li MPL 2.0 daim ntawv tso cai pub dawb. Cov cai rau tsim cov database thiab server Cheebtsam yog sau rau hauv thiab mus. Cov neeg siv khoom ntxiv rau Firefox rau kev nyeem cov ntaub ntawv los ntawm cov ntaub ntawv hauv lus Rust.
Kev txheeb xyuas daim ntawv pov thawj siv cov kev pabcuam sab nraud raws li cov txheej txheem uas tseem siv (Online Certificate Status Protocol) yuav tsum tau lav kev nkag mus rau hauv network, ua rau muaj kev ncua tseem ceeb hauv kev thov ua tiav (350ms ntawm qhov nruab nrab) thiab muaj teeb meem nrog kev ua kom tsis pub lwm tus paub (OCSP servers teb rau kev thov tau txais cov ntaub ntawv hais txog daim ntawv pov thawj tshwj xeeb, uas tuaj yeem siv los txiav txim seb yog dab tsi. sites tus neeg siv qhib). Kuj tseem muaj peev xwm kuaj xyuas hauv zos tawm tsam cov npe (Certificate Revocation List), tab sis qhov tsis zoo ntawm txoj kev no yog qhov loj heev ntawm cov ntaub ntawv rub tawm - tam sim no cov ntaub ntawv tshem tawm cov ntawv pov thawj muaj txog 300 MB thiab nws txoj kev loj hlob txuas ntxiv.
Txhawm rau thaiv cov ntawv pov thawj uas tau raug cuam tshuam thiab tshem tawm los ntawm cov ntawv pov thawj, Firefox tau siv lub hauv paus blacklist txij li xyoo 2015. ua ke nrog kev hu mus rau kev pabcuam txhawm rau txheeb xyuas qhov ua phem tau. OneCRL, zoo li hauv Chrome, ua raws li qhov sib txuas nruab nrab uas sib sau ua ke CRL cov npe los ntawm cov tub ceev xwm muab ntawv pov thawj thiab muab ib qho kev pabcuam OCSP hauv nruab nrab rau kev tshuaj xyuas cov ntawv pov thawj tshem tawm, ua rau nws tsis tuaj yeem xa cov lus thov ncaj qha mus rau cov ntaub ntawv pov thawj. Txawm hais tias muaj ntau txoj haujlwm los txhim kho kev ntseeg siab ntawm kev pabcuam hauv online daim ntawv pov thawj, cov ntaub ntawv telemetry qhia tau hais tias ntau dua 7% ntawm OCSP thov sijhawm (ob peb xyoos dhau los no daim duab no yog 15%).
Los ntawm lub neej ntawd, yog tias nws tsis tuaj yeem txheeb xyuas ntawm OCSP, tus browser txiav txim siab daim ntawv pov thawj siv tau. Cov kev pabcuam yuav tsis muaj nyob rau vim muaj teeb meem hauv network thiab kev txwv ntawm kev sib txuas sab hauv, lossis thaiv los ntawm cov neeg tawm tsam - txhawm rau hla OCSP daim tshev thaum lub sijhawm MITM nres, tsuas yog thaiv kev nkag mus rau kev pabcuam xyuas. Ib feem los tiv thaiv xws li kev tawm tsam, ib txheej txheem tau siv , uas tso cai rau koj los kho OCSP kev nkag mus yuam kev lossis OCSP tsis muaj raws li qhov teeb meem nrog daim ntawv pov thawj, tab sis qhov tshwj xeeb no yog xaiv tau thiab yuav tsum tau sau npe tshwj xeeb ntawm daim ntawv pov thawj.
CRLite tso cai rau koj los sib sau ua tiav cov ntaub ntawv hais txog txhua daim ntawv pov thawj raug tshem tawm mus rau hauv cov qauv tshiab yooj yim, tsuas yog 1 MB loj, uas ua rau nws tuaj yeem khaws cov ntaub ntawv CRL tiav ntawm cov neeg siv khoom.
Lub browser yuav tuaj yeem synchronize nws cov ntawv luam ntawm cov ntaub ntawv hais txog kev tshem tawm daim ntawv pov thawj txhua hnub, thiab cov ntaub ntawv no yuav muaj nyob rau hauv txhua yam xwm txheej.
CRLite muab cov ntaub ntawv los ntawm , ib daim ntawv pov thawj pej xeem ntawm txhua daim ntawv pov thawj uas tau muab tawm thiab tshem tawm, thiab cov txiaj ntsig ntawm kev txheeb xyuas daim ntawv pov thawj hauv Is Taws Nem (ntau CRL cov npe ntawm cov ntawv pov thawj tau sau thiab cov ntaub ntawv hais txog txhua daim ntawv pov thawj paub tau sau ua ke). Cov ntaub ntawv yog ntim nrog cascading , ib tug probabilistic qauv uas tso cai rau ib tug tsis tseeb nrhiav tau ntawm ib tug uas ploj lawm lub caij, tab sis tsis suav nrog lub omission ntawm ib tug uas twb muaj lawm lub caij (piv txwv li, nrog ib tug tej yam tshwm sim, ib tug cuav zoo rau ib tug raug daim ntawv pov thawj yog ua tau, tab sis tshem tawm daim ntawv pov thawj yog guaranteed kom raug txheeb xyuas).
Txhawm rau tshem tawm qhov tsis zoo, CRLite tau qhia txog kev kho cov lim dej ntxiv. Tom qab tsim cov qauv, tag nrho cov ntaub ntawv los ntawm cov ntaub ntawv raug tshawb nrhiav thiab pom muaj qhov tsis zoo. Raws li cov txiaj ntsig ntawm daim tshev no, ib qho qauv ntxiv yog tsim, uas yog cascaded mus rau thawj tus thiab kho cov txiaj ntsig tsis tseeb. Kev ua haujlwm yog rov ua dua kom txog thaum qhov tsis zoo thaum lub sijhawm tswj xyuas tau raug tshem tawm tag nrho. Feem ntau, tsim 7-10 txheej yog txaus los npog tag nrho cov ntaub ntawv. Txij li thaum lub xeev ntawm cov ntaub ntawv khaws tseg, vim muaj kev sib koom ua ke ib ntus, qeeb me ntsis tom qab lub xeev tam sim no ntawm CRL, kev tshuaj xyuas cov ntawv pov thawj tshiab tawm tom qab qhov hloov tshiab kawg ntawm CRLite database tau ua tiav siv OCSP raws tu qauv, suav nrog kev siv cov (ib qho OCSP cov lus teb tau lees paub los ntawm cov ntawv pov thawj tau xa los ntawm tus neeg rau zaub mov ua haujlwm rau lub xaib thaum sib tham txog TLS kev sib txuas).
Siv Bloom cov ntxaij lim dej, lub Kaum Ob Hlis cov ntaub ntawv los ntawm WebPKI, npog 100 lab daim ntawv pov thawj nquag thiab 750 txhiab daim ntawv pov thawj tshem tawm, tuaj yeem ntim rau hauv cov qauv ntawm 1.3 MB loj. Cov txheej txheem tsim cov txheej txheem yog cov peev txheej siv ntau heev, tab sis nws tau ua tiav ntawm Mozilla server thiab tus neeg siv tau txais kev hloov kho tshiab. Piv txwv li, hauv daim ntawv binary, cov ntaub ntawv siv los ntawm lub sijhawm yuav tsum muaj txog 16 GB ntawm lub cim xeeb thaum khaws cia hauv Redis DBMS, thiab hauv daim ntawv hexadecimal, cov pov tseg ntawm txhua daim ntawv pov thawj cov lej yuav siv li 6.7 GB. Cov txheej txheem ntawm kev sib sau tag nrho cov ntawv pov thawj raug tshem tawm thiab siv sijhawm li 40 feeb, thiab cov txheej txheem ntawm kev tsim cov qauv ntim raws li Bloom lim yuav siv sijhawm 20 feeb ntxiv.
Mozilla tam sim no ua kom ntseeg tau tias CRLite database tau hloov kho plaub zaug hauv ib hnub (tsis yog txhua qhov kev hloov tshiab raug xa mus rau cov neeg siv khoom). Kev hloov tshiab ntawm delta tseem tsis tau ua tiav - kev siv bsdiff4, siv los tsim delta hloov tshiab rau kev tshaj tawm, tsis muab kev ua haujlwm txaus rau CRLite thiab cov kev hloov tshiab tsis tsim nyog loj. Txhawm rau tshem tawm qhov tsis zoo no, nws tau npaj yuav rov ua dua cov qauv ntawm cov qauv khaws cia kom tshem tawm qhov tsis tsim nyog rov tsim kho thiab tshem tawm cov txheej txheem.
CRLite tam sim no ua haujlwm hauv Firefox hauv hom passive thiab siv nyob rau hauv tib lub sijhawm nrog OCSP los sau cov txheeb cais txog kev ua haujlwm raug. CRLite tuaj yeem hloov mus rau hom scan loj; ua li no, koj yuav tsum teeb tsa qhov parameter security.pki.crlite_mode = 2 hauv txog: config.
Tau qhov twg los: opennet.ru