Mozilla tau tshaj tawm txog kev suav nrog kev txhawb nqa rau cov neeg siv ntawm cov ceg ruaj khov ntawm Firefox rau ECH (Encrypted Client Hello), uas txuas ntxiv txhim kho ESNI (Encrypted Server Name Indication) thev naus laus zis thiab tau tsim los encrypt cov ntaub ntawv hais txog qhov tsis sib xws ntawm TLS ntu. , xws li lub npe thov. Code rau kev ua haujlwm nrog ECH yog thawj zaug ntxiv rau Firefox 85 tso tawm, tab sis tau ua tsis taus raws li lub neej ntawd. Chrome maj mam pib suav nrog ECH kev txhawb nqa pib nrog kev tso tawm ntawm Chrome 115.
Vim tias ntxiv rau kev sib txuas nrog neeg rau zaub mov Cov ntaub ntawv sau npe uas tau thov raug xau los ntawm DNS. Rau kev tiv thaiv tag nrho, ntxiv rau ECH, koj yuav tsum siv DNS dhau HTTPS lossis DNS dhau TLS los encrypt DNS traffic. Firefox yuav tsis siv ECH yam tsis tau qhib DNS dhau HTTPS hauv qhov chaw teeb tsa. Koj tuaj yeem tshawb xyuas kev txhawb nqa ECH hauv koj tus browser ntawm nplooj ntawv no.
Ib qho ntawm cov xwm txheej uas ua rau ECH txhawb nqa los ntawm lub neej ntawd hauv Firefox yog Cloudflare qhov suav nrog ECH kev txhawb nqa hauv nws cov ntsiab lus xa tawm ob peb hnub dhau los. Ntawm qhov ua tau zoo, txij li cov ntaub ntawv hais txog cov tswv tsev thov thaum siv ECH tau muab zais los ntawm kev tsom xam, lim thiab thaiv qhov chaw tsis xav tau siv Cloudflare CDN tam sim no yuav xav kom thaiv tag nrho Cloudflare network, thaiv txhua qhov kev thov los ntawm ECH, lossis teeb tsa HTTPS cuam tshuam siv cov ntawv pov thawj cuav. ntawm tus neeg siv qhov system.
Thaum pib, txhawm rau txhim kho kev ua haujlwm ntawm ib tus IP chaw nyob ntawm ntau qhov chaw HTTPS, TLS txuas ntxiv SNI tau siv, uas lub npe ntawm tus tswv tsev thov tau qhia hauv ClientHello cov lus xa mus ua ntej tsim kev sib txuas lus encrypted. Qhov tshwj xeeb no ua rau nws muaj peev xwm faib cov kev thov thoob plaws virtual hosts thaum ntxov ntawm kev sib txuas ua tiav, tab sis kuj ua rau nws muaj peev xwm ntawm ISP sab los xaiv lim HTTPS kev khiav tsheb thiab txheeb xyuas qhov chaw twg tus neeg siv qhib, uas tsis tso cai ua tiav kev ceev ntiag tug thaum siv. HTTPS.
Txhawm rau daws qhov teeb meem no thiab tiv thaiv kev xau ntawm cov ntaub ntawv hais txog qhov chaw thov, ESNI txuas ntxiv tom qab tau tshaj tawm uas siv cov ntaub ntawv encryption nrog tus tswv lub npe. Thaum lub sij hawm ua raws li ESNI, nws tau tshaj tawm tias qhov kev thov txheej txheem tsis npog tag nrho cov peev txheej ntawm tus tswv tsev cov ntaub ntawv tawm thiab nws siv tsis txaus los xyuas kom meej qhov tsis pub lwm tus paub ntawm HTTPS zaug. Tshwj xeeb, thaum rov pib dua qhov kev sib tham yav dhau los, lub npe sau npe hauv cov ntawv ntshiab txuas ntxiv tau teev tseg ntawm cov kev txwv ntawm PSK (Pre-Shared Key) TLS txuas ntxiv. Tsis tas li ntawd, kev siv zog los siv ESNI tau txheeb xyuas qhov sib haum xeeb thiab ntsuas qhov teeb meem uas tau tiv thaiv kev siv ESNI thoob plaws.
Nrog rau kev txheeb xyuas qhov tsis txaus ntseeg ntawm ESNI, ib qho kev hloov tshiab thoob ntiaj teb ECH tau tsim los uas tso cai rau kev nkag mus rau qhov tsis sib xws ntawm TLS txuas ntxiv. Technically, qhov sib txawv tseem ceeb ntawm ECH thiab ESNI yog tias hloov chaw ntawm tus kheej, tag nrho ClientHello cov lus tau muab zais ib zaug. ECH suav nrog kev faib cov ClientHello rau hauv ob qho lus sib cais - cov lus encrypted ClientHelloInner (SNI Inner) thiab cov lus tsis tau encrypted ClientHelloOuter (SNI Outer). Ib qho uas tsis tau encrypted SNI Outer nqa cov ntaub ntawv tsis pub leej twg paub xws li TLS version thiab cov npe ntawm cov ntawv ciphers siv, nrog rau cov npe sau npe uas tsis sib tshooj nrog lub npe tiag tiag ntawm cov npe thov. Piv txwv li, rau tag nrho cov neeg siv Cloudflare, lub unencrypted SNI Outer qhia txog tus tswv tsev "cloudflare-ech.com", tab sis lub npe tiag tiag ntawm tus tswv tsev thov raug xa mus rau hauv encrypted SNI Inner thiab tsis muaj rau kev tshuaj xyuas.
ECH kuj siv txoj kev faib cov yuam sij encryption sib txawv: cov ntaub ntawv tseem ceeb rau pej xeem raug xa mus rau hauv cov ntaub ntawv HTTPSSVC DNS es tsis yog cov ntaub ntawv TXT. Kev encryption kawg-rau-kawg uas tau lees paub raws li lub tshuab HPKE (Hybrid Public Key Encryption) yog siv los tau txais thiab encrypt tus yuam sij. ECH kuj txhawb nqa kev xa rov qab yuam sij ruaj ntseg los ntawm lub server, uas tuaj yeem siv tau thaum muaj kev hloov pauv yuam sij. server thiab daws cov teeb meem nrog kev rov qab tau cov yuam sij qub los ntawm DNS cache.
Tau qhov twg los: opennet.ru
