Thaum lub Cuaj Hlis 30 ntawm 17:01 Moscow lub sijhawm, IdenTrust daim ntawv pov thawj hauv paus (DST Root CA X3), uas tau siv los hla-kos npe rau hauv paus daim ntawv pov thawj ntawm Let's Encrypt certification authority (ISRG Root X1), uas yog tswj los ntawm zej zog thiab muab daim ntawv pov thawj pub dawb rau txhua tus, tas sij hawm. Kev kos npe hla tau lees paub tias Let's Encrypt daim ntawv pov thawj tau ntseeg thoob plaws ntau yam khoom siv, kev ua haujlwm, thiab browsers thaum Let's Encrypt tus kheej daim ntawv pov thawj hauv paus tau muab tso rau hauv cov khw muag khoom hauv paus.
Nws yog thawj zaug tau npaj tseg tias tom qab qhov kev txiav txim siab ntawm DST Root CA X3, Let's Encrypt project yuav hloov mus rau kev tsim kos npe siv tsuas yog nws daim ntawv pov thawj hauv paus, tab sis qhov kev txav no yuav ua rau poob ntawm kev sib raug zoo nrog ntau lub tshuab qub uas tsis muaj. ntxiv rau Let's Encrypt root daim ntawv pov thawj rau lawv cov chaw cia khoom. Hauv particular, kwv yees li 30% ntawm cov khoom siv hauv Android siv tsis muaj cov ntaub ntawv ntawm Let's Encrypt hauv paus daim ntawv pov thawj, kev txhawb nqa uas tau tshwm sim tsuas yog pib nrog Android 7.1.1 platform, tso tawm thaum kawg ntawm 2016.
Cia's Encrypt tsis tau npaj nkag mus rau hauv daim ntawv cog lus kos npe tshiab, vim qhov no ua rau muaj lub luag haujlwm ntxiv rau ob tog rau qhov kev pom zoo, deprives lawv ntawm kev ywj pheej thiab khi lawv txhais tes raws li kev ua raws li tag nrho cov txheej txheem thiab cov cai ntawm lwm txoj cai pov thawj. Tab sis vim muaj teeb meem muaj peev xwm ntawm cov khoom siv Android ntau, cov phiaj xwm tau hloov kho. Ib daim ntawv cog lus tshiab tau xaus nrog IdenTrust daim ntawv pov thawj txoj cai, nyob rau hauv lub moj khaum ntawm lwm txoj kev kos npe rau Let's Encrypt intermediate daim ntawv pov thawj tau tsim. Tus ntoo khaub lig-kos npe yuav siv tau rau peb xyoos thiab yuav muaj kev txhawb nqa rau Android li pib nrog version 2.3.6.
Txawm li cas los xij, daim ntawv pov thawj nruab nrab tshiab tsis suav nrog ntau lwm cov txheej txheem qub qub. Piv txwv li, thaum DST Root CA X3 daim ntawv pov thawj deprecates rau lub Cuaj Hlis 30, Cia's Encrypt daim ntawv pov thawj yuav tsis raug lees txais ntawm unsupported firmware thiab kev khiav hauj lwm systems uas yuav tsum tau manually ntxiv ISRG hauv paus X1 daim ntawv pov thawj rau hauv paus daim ntawv pov thawj khw kom ntseeg tau hais tias nyob rau hauv Cia's Encrypt daim ntawv pov thawj. . Cov teeb meem yuav tshwm sim nyob rau hauv:
- OpenSSL mus txog ceg 1.0.2 suav nrog (kev saib xyuas ntawm ceg 1.0.2 raug txiav tawm thaum Lub Kaum Ob Hlis 2019);
- NWS <3.26;
- Java 8 < 8u141, Java 7 < 7u151;
- Windows <XP SP3;
- macOS <10.12.1;
- iOS <10 (iPhone <5);
- Android <2.3.6;
- Mozilla Firefox <50;
- Ubuntu <16.04;
- Debian <8.
Nyob rau hauv rooj plaub ntawm OpenSSL 1.0.2, qhov teeb meem yog tshwm sim los ntawm kab laum uas tiv thaiv cov ntawv pov thawj hla kev kos npe los ntawm kev ua tiav yog tias ib qho ntawm cov ntawv pov thawj hauv paus siv rau kev kos npe tas sij hawm, txawm tias muaj lwm txoj hlua khi ntawm kev ntseeg siab. Qhov teeb meem thawj zaug tshwm sim xyoo tas los tom qab daim ntawv pov thawj AddTrust siv los hla daim ntawv pov thawj los ntawm Sectigo (Comodo) daim ntawv pov thawj txoj cai tau dhau los lawm. Qhov tseem ceeb ntawm qhov teeb meem yog tias OpenSSL tau txheeb xyuas daim ntawv pov thawj raws li cov kab sib txuas, thaum raws li RFC 4158, ib daim ntawv pov thawj tuaj yeem sawv cev rau ib daim duab qhia cov voj voog uas muaj ntau qhov kev ntseeg siab uas yuav tsum tau coj mus rau hauv tus account.
Cov neeg siv cov kev faib tawm qub raws li OpenSSL 1.0.2 tau muab peb qhov kev daws teeb meem los daws qhov teeb meem:
- Manually tshem tawm IdenTrust DST Root CA X3 hauv paus daim ntawv pov thawj thiab teeb tsa qhov chaw nyob ib leeg (tsis kos npe hla) ISRG Root X1 hauv paus daim ntawv pov thawj.
- Thaum khiav lub openssl txheeb xyuas thiab s_client cov lus txib, koj tuaj yeem qhia qhov "-trusted_first" kev xaiv.
- Siv rau ntawm tus neeg rau zaub mov ib daim ntawv pov thawj uas tau lees paub los ntawm daim ntawv pov thawj cais hauv paus SRG Root X1, uas tsis muaj tus kos npe hla. Txoj kev no yuav ua rau poob ntawm kev sib raug zoo nrog cov neeg siv Android qub.
Tsis tas li ntawd, peb tuaj yeem nco ntsoov tias Let's Encrypt project tau kov yeej qhov tseem ceeb ntawm ob txhiab daim ntawv pov thawj tsim. Ib qho tseem ceeb tshaj plaws tau mus txog rau lub Ob Hlis xyoo tas los. 2.2-2.4 lab daim ntawv pov thawj tshiab tau tsim txhua hnub. Tus naj npawb ntawm daim ntawv pov thawj nquag yog 192 lab (ib daim ntawv pov thawj siv tau rau peb lub hlis) thiab suav txog 260 lab tus thawj (195 lab tus thawj tswj hwm tau them ib xyoos dhau los, 150 lab ob xyoos dhau los, 60 lab peb xyoos dhau los). Raws li kev txheeb cais los ntawm Firefox Telemetry kev pabcuam, lub ntiaj teb feem ntawm nplooj ntawv thov ntawm HTTPS yog 82% (ib xyoos dhau los - 81%, ob xyoos dhau los - 77%, peb xyoos dhau los - 69%, plaub xyoos dhau los - 58%).
Tau qhov twg los: opennet.ru