M'mbuyomu, ziphaso nthawi zambiri zinkatha ntchito chifukwa zimayenera kukonzedwanso pamanja. Anthu anangoyiwala kuchita zimenezo. Kubwera kwa Let Encrypt ndi njira yosinthira yokha, zikuwoneka kuti vutoli liyenera kuthetsedwa. Koma posachedwa zimasonyeza kuti, kwenikweni, akadali ofunika. Tsoka ilo, ziphaso zikupitilizabe kutha.
Mukaphonya nkhaniyi, pakati pausiku pa Meyi 4, 2019, pafupifupi zowonjezera zonse za Firefox zidasiya kugwira ntchito.
Zotsatira zake, kulephera kwakukulu kudachitika chifukwa chakuti Mozilla , yomwe idagwiritsidwa ntchito kusaina zowonjezera. Chifukwa chake, adadziwika kuti "osavomerezeka" ndipo sanatsimikizidwe (). Pamabwalo, monga njira yothanirana, tidalimbikitsidwa kuletsa kutsimikizira siginecha yowonjezera za: config kapena kusintha wotchi yadongosolo.
Mozilla mwamsanga inatulutsa chigamba cha Firefox 66.0.4, chomwe chimathetsa vutoli ndi chiphaso chosavomerezeka, ndipo zowonjezera zonse zimabwerera mwakale. Madivelopa amalangiza khazikitsa ndi palibe ma workaround omwe angadutse chitsimikiziro cha siginecha chifukwa amatha kutsutsana ndi chigambacho.
Komabe, nkhaniyi ikuwonetsanso kuti kutha kwa satifiketi kukadali nkhani yovuta lero.
Pachifukwa ichi, ndizosangalatsa kuyang'ana njira yoyambirira momwe opanga ma protocol adachitira ndi ntchitoyi . Yankho lawo likhoza kugawidwa mu magawo awiri. Choyamba, awa ndi satifiketi akanthawi kochepa. Kachiwiri, kuchenjeza ogwiritsa ntchito za kutha kwa nthawi yayitali.
DNSCrypt
DNSCrypt ndi DNS traffic encryption protocol. Imateteza mauthenga a DNS kuchokera kumayendedwe ndi MiTM, komanso imakupatsani mwayi wodutsa kutsekereza pafunso la DNS.
Protocol imakutira kuchuluka kwa magalimoto a DNS pakati pa kasitomala ndi seva mukupanga kwachinsinsi, kumagwira ntchito pamayendedwe a UDP ndi TCP. Kuti mugwiritse ntchito, kasitomala ndi DNS solver ayenera kuthandizira DNSCrypt. Mwachitsanzo, kuyambira Marichi 2016, yathandizidwa pa ma seva ake a DNS ndi msakatuli wa Yandex. Othandizira ena angapo alengezanso thandizo, kuphatikiza Google ndi Cloudflare. Tsoka ilo, palibe ambiri (ma seva a DNS 152 alembedwa patsamba lovomerezeka). Koma pulogalamu ikhoza kukhazikitsidwa pamanja pa Linux, Windows ndi MacOS makasitomala. Palinso .
Kodi DNSCrypt imagwira ntchito bwanji? Mwachidule, kasitomala amatenga kiyi yapagulu ya wosankhidwayo ndikuigwiritsa ntchito kutsimikizira ziphaso zake. Makiyi apagulu akanthawi kochepa a gawoli ndi cipher suite identifier alipo kale. Makasitomala akulimbikitsidwa kuti apange kiyi yatsopano pa pempho lililonse, ndipo ma seva akulimbikitsidwa kusintha makiyi maola 24 aliwonse. Mukasinthana makiyi, X25519 algorithm imagwiritsidwa ntchito, kusaina - EdDSA, pa block encryption - XSalsa20-Poly1305 kapena XChaCha20-Poly1305.
Mmodzi mwa opanga ma protocol a Frank Denis kuti m'malo mwawokha maola 24 aliwonse amathetsa vuto la ziphaso zomwe zidatha. M'malo mwake, kasitomala wa dnscrypt-proxy reference amavomereza ziphaso ndi nthawi iliyonse yovomerezeka, koma amapereka chenjezo "Nthawi yachinsinsi ya dnscrypt-proxy pa seva iyi ndi yayitali kwambiri" ngati ili yovomerezeka kwa maola opitilira 24. Panthawi imodzimodziyo, fano la Docker linatulutsidwa, momwe kusintha kwachangu kwa makiyi (ndi zizindikiro) kunakhazikitsidwa.
Choyamba, ndizothandiza kwambiri pachitetezo: ngati seva yasokonekera kapena kiyi yatsitsidwa, ndiye kuti kuchuluka kwa dzulo sikungasinthidwe. Chinsinsi chasintha kale. Izi zitha kukhala vuto pakukhazikitsa Lamulo la Yarovaya, lomwe limakakamiza opereka chithandizo kusunga magalimoto onse, kuphatikiza magalimoto obisika. Tanthauzo lake ndikuti imatha kusinthidwa pambuyo pake ngati kuli kofunikira popempha kiyi patsambalo. Koma pakadali pano, tsambalo silingathe kupereka, chifukwa limagwiritsa ntchito makiyi akanthawi kochepa, kuchotsa akale.
Koma chofunika kwambiri, Denis akulemba kuti, makiyi akanthawi kochepa amakakamiza ma seva kuti akhazikitse makina kuyambira tsiku loyamba. Ngati seva ilumikizana ndi netiweki ndipo zosintha zazikuluzikulu sizikukonzedwa kapena sizikugwira ntchito, izi zitha kudziwika nthawi yomweyo.
Makina osintha akasintha makiyi zaka zingapo zilizonse, sangadalire, ndipo anthu amatha kuyiwala za kutha kwa satifiketi. Ngati musintha makiyi tsiku lililonse, izi zitha kudziwika nthawi yomweyo.
Pa nthawi yomweyi, ngati zodzikongoletsera zimakonzedwa bwino, zilibe kanthu kuti makiyi amasinthidwa kangati: chaka chilichonse, kotala kapena katatu patsiku. Ngati chirichonse chikugwira ntchito kwa maola oposa 24, chidzagwira ntchito kwamuyaya, akulemba Frank Denis. Malinga ndi iye, malingaliro a kasinthasintha wa tsiku ndi tsiku mu mtundu wachiwiri wa protocol, pamodzi ndi chithunzi cha Docker chokonzekera chomwe amachigwiritsa ntchito, amachepetsa bwino ma seva omwe ali ndi ziphaso zomwe zatha, pomwe nthawi yomweyo zimathandizira chitetezo.
Komabe, ena opereka chithandizo adaganizabe, pazifukwa zina zaukadaulo, kuyika nthawi yovomerezeka ya satifiketi kukhala maola opitilira 24. Vutoli linathetsedwa kwambiri ndi mizere ingapo ya code mu dnscrypt-proxy: ogwiritsa ntchito amalandira chenjezo lachidziwitso masiku a 30 chikalatacho chisanathe, uthenga wina wokhala ndi msinkhu wapamwamba wa masiku 7 usanathe, ndi uthenga wovuta ngati satifiketi ili ndi zotsalira. zosakwana maola 24. Izi zimangogwira ntchito kumatifiketi omwe poyamba amakhala ndi nthawi yayitali yovomerezeka.
Mauthengawa amapatsa ogwiritsa ntchito mwayi wodziwitsa ogwiritsa ntchito a DNS za kutha kwa satifiketi nthawi isanathe.
Mwina ngati ogwiritsa ntchito onse a Firefox atalandira uthenga wotere, ndiye kuti wina angadziwitse opanga ndipo sangalole kuti satifiketiyo ithe. "Sindikukumbukira seva imodzi ya DNSCrypt pamndandanda wa ma seva a DNS omwe satifiketi yake yatha zaka ziwiri kapena zitatu zapitazi," akulemba Frank Denis. Mulimonsemo, ndikwabwino kuchenjeza ogwiritsa ntchito kaye m'malo moletsa zowonjezera popanda chenjezo.
Source: www.habr.com