Digest Yapakatikati #5 (9 - 16 Aug 2019)

Timamva mawu akuti "chitetezo cha dziko" nthawi zonse, koma pamene boma liyamba kuyang'anira mauthenga athu, kuwajambula popanda kukaikira kodalirika, maziko alamulo komanso popanda cholinga chilichonse, tiyenera kudzifunsa kuti: kodi akutetezadi chitetezo cha dziko kapena amateteza okha?

- Edward Snowden

Digest iyi ikufuna kuwonjezera chidwi cha Community pa nkhani yachinsinsi, yomwe, potengera zochitika zaposachedwa imakhala yofunika kwambiri kuposa kale.

Pa ndandanda:

       Okonda ochokera mdera la "Medium" omwe ali ndi intaneti akupanga makina awo osakira
       Medium yakhazikitsa bungwe latsopano la certification, Medium Global Root CA. Ndani adzakhudzidwa ndi kusinthaku?
       Zikalata zachitetezo panyumba iliyonse - momwe mungapangire ntchito zanu pa intaneti ya Yggdrasil ndikutulutsa satifiketi yovomerezeka ya SSL yake

Ndikumbutseni - "Medium" ndi chiyani?

sing'anga (Eng. sing'anga - "mkhalapakati", mawu oyamba - Osafunsa zachinsinsi chanu. Bweretsaninso; komanso mu Chingerezi mawu sing'anga amatanthauza "wapakatikati") - wopereka intaneti waku Russia yemwe amapereka chithandizo chamaneti Yggdrasil kwaulere.

Dzina lonse: Medium Internet Service Provider. Poyamba, polojekitiyi idapangidwa ngati Masamba network в Kolomna urban district.

Idapangidwa mu Epulo 2019 ngati gawo lopanga malo odziyimira pawokha olumikizirana matelefoni popatsa ogwiritsa ntchito mwayi wopeza zida za netiweki ya Yggdrasil pogwiritsa ntchito ukadaulo wa Wi-Fi wopanda zingwe.

Zambiri pamutuwu: "Chilichonse chomwe mumafuna kudziwa za omwe amapereka intaneti pa Medium, koma amawopa kufunsa"

Okonda ochokera mdera la "Medium" omwe ali ndi intaneti akupanga makina awo osakira

Poyamba pa intaneti Yggdrasil, amene Decentralized Internet service provider Medium amagwiritsa ntchito monga zoyendera, analibe DNS yake seva kapena zomangira kiyi pagulu - Komabe, kufunika kutulutsa ziphaso chitetezo kwa ntchito Medium network anathetsa mavuto awiriwa.

Chifukwa chiyani mukufunikira PKI ngati Yggdrasil kunja kwa bokosilo imakupatsani mwayi wosunga ma traffic pakati pa anzanu?Palibe chifukwa chogwiritsa ntchito HTTPS kuti mulumikizane ndi mautumiki apaintaneti pa Yggdrasil netiweki ngati mulumikizane nawo kudzera pa rauta ya Yggdrasil netiweki yomwe ikuyenda kwanuko.

Zowonadi: mayendedwe a Yggdrasil ali panjira ndondomeko limakupatsani mwayi wogwiritsa ntchito zopezeka mkati mwa netiweki ya Yggdrasil - kuthekera kochita Kuukira kwa MITM osaphatikizidwa kwathunthu.

Zinthu zimasintha kwambiri ngati mutapeza zida za intranet za Yggdarsil osati mwachindunji, koma kudzera pa node yapakatikati - malo ofikira pa intaneti, omwe amayendetsedwa ndi wogwiritsa ntchito.

Apa, ndani angasokoneze zomwe mumatumiza:

1. Wothandizira malo ofikira. Ndizodziwikiratu kuti wogwiritsa ntchito pano pa Medium network access point amatha kuyang'ana magalimoto osadziwika omwe amadutsa zida zake.
2. wolowerera (munthu mkatikati). Wapakati ali ndi vuto lofanana ndi Tor network vuto, pokhapokha pokhudzana ndi zolowetsa ndi zapakati.

Izi ndi momwe zimawonekera

chisankho: kuti mupeze mawebusayiti mkati mwa netiweki ya Yggdrasil, gwiritsani ntchito protocol ya HTTPS (level 7 Zithunzi za OSI). Vuto ndiloti sizingatheke kutulutsa chiphaso chenicheni chachitetezo cha ma network a Yggdrasil kudzera mu njira wamba monga Tiyeni Tilembetse.

Chifukwa chake, tidakhazikitsa malo athu a certification - "Medium Global Root CA". Ntchito zambiri mu netiweki ya Medium zimasainidwa ndi chiphaso chachitetezo chaulamuliro wapakatikati wa Medium Domain Validation Secure Server CA.

Kuthekera kwa kuphwanya chiphaso chaulamuliro wa certification kunali, ndithudi, kuganiziridwa - koma apa satifiketi ndiyofunika kwambiri kutsimikizira kukhulupirika kwa kufalitsa deta ndikuchotsa kuthekera kwa kuukira kwa MITM.

Ntchito zama netiweki zapakatikati kuchokera kwa ogwira ntchito osiyanasiyana zimakhala ndi ziphaso zotetezedwa, mwanjira imodzi kapena zina zosainidwa ndi oyang'anira certification. Komabe, ogwiritsira ntchito Root CA sangathe kumvetsera za magalimoto obisika kuchokera kuzinthu zomwe asayina ziphaso zachitetezo (onani "CSR ndi chiyani?").

Omwe amakhudzidwa kwambiri ndi chitetezo chawo amatha kugwiritsa ntchito njira monga chitetezo chowonjezera, monga PGP и zofanana.

Pakadali pano, zida zoyambira pagulu la Medium network zimatha kuyang'ana momwe satifiketi ikuyendera pogwiritsa ntchito protocol OCSP kapena pogwiritsa ntchito C.R.L..

Pezani mfundo

Wogwiritsa ntchito @NXShock adayamba kupanga makina osakira mawebusayiti omwe ali pa netiweki ya Yggdrasil. Chofunikira ndichakuti kutsimikiza kwa ma adilesi a IPv6 akamasaka kumachitika potumiza pempho ku seva ya DNS yomwe ili mkati mwa netiweki yapakatikati.

TLD yayikulu ndi .ygg. Mayina ambiri amakhala ndi TLD iyi, kupatulapo ziwiri: .isp и .gg.

Injini yofufuzira ikupangidwa, koma kugwiritsa ntchito kwake kuli kotheka kale lero - ingoyenderani tsambalo search.medium.isp.

Mutha kuthandiza chitukuko cha polojekiti, polumikizana ndi chitukuko pa GitHub.

Medium yakhazikitsa bungwe latsopano la certification, Medium Global Root CA. Ndani adzakhudzidwa ndi kusinthaku?

Dzulo, kuyesa kwapagulu kwa magwiridwe antchito a Medium Root CA certification center kunamalizidwa. Pamapeto pa kuyezetsa, zolakwika pakugwiritsa ntchito ntchito zamagulu akuluakulu aboma zidakonzedwa ndipo chikalata chatsopano chaulamuliro wa certification "Medium Global Root CA" chidapangidwa.

Ma nuances onse ndi mawonekedwe a PKI adaganiziridwa - tsopano satifiketi yatsopano ya CA "Medium Global Root CA" idzaperekedwa patatha zaka khumi (pambuyo pa tsiku lotha ntchito). Tsopano ziphaso zachitetezo zimaperekedwa ndi akuluakulu apakatikati - mwachitsanzo, "Medium Domain Validation Secure Server CA".

Kodi satifiketi yodalirika ikuwoneka bwanji pano?



Zomwe zikuyenera kuchitika kuti chilichonse chigwire ntchito ngati ndinu wogwiritsa ntchito:

Popeza mautumiki ena amagwiritsa ntchito HSTS, musanagwiritse ntchito zida za Medium network, muyenera kuchotsa deta kuchokera kuzinthu zapakatikati za intranet. Mungathe kuchita izi mu Mbiri ya msakatuli wanu.

M'pofunikanso khazikitsa satifiketi yatsopano certification center "Medium Global Root CA".

Zomwe zikuyenera kuchitika kuti zonse zitheke ngati ndinu oyendetsa dongosolo:

Muyenera kutulutsanso satifiketi ya ntchito yanu patsamba pki.medium.isp (ntchitoyi imapezeka pa Medium network yokha).

Zikalata zachitetezo panyumba iliyonse - momwe mungapangire ntchito zanu pa intaneti ya Yggdrasil ndikutulutsa satifiketi yovomerezeka ya SSL yake

Chifukwa cha kukula kwa chiwerengero cha mautumiki a intranet pa intaneti ya Medium, kufunikira kopereka ziphaso zatsopano zachitetezo ndikukonzekera mautumiki awo kuti athandizire SSL kwawonjezeka.

Popeza Habr ndi chida chaukadaulo, muzogaya zatsopano zilizonse chimodzi mwazinthu zomwe zikuwonetsedwa zimawulula ukadaulo wa Medium network network. Mwachitsanzo, pansipa pali malangizo athunthu operekera satifiketi ya SSL pa ntchito yanu.

Zitsanzo ziwonetsa dzina la domain domain.ygg, zomwe ziyenera kusinthidwa ndi dzina lachidziwitso la utumiki wanu.

Khwelero 1. Pangani makiyi achinsinsi ndi magawo a Diffie-Hellman

openssl genrsa -out domain.ygg.key 2048

Kenako:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Khwelero 2. Pangani pempho losaina satifiketi

openssl req -new -key domain.ygg.key -out domain.ygg.csr -config domain.ygg.conf

Zomwe zili mufayilo domain.ygg.conf:

[ req ]
default_bits                = 2048
distinguished_name          = req_distinguished_name
x509_extensions             = v3_req

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = RU
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Moscow Oblast
localityName                = Locality Name (eg, city)
localityName_default        = Kolomna
organizationName            = Organization Name (eg, company)
organizationName_default    = ACME, Inc.
commonName                  = Common Name (eg, YOUR name)
commonName_max              = 64
commonName_default          = *.domain.ygg

[ v3_req ]
subjectKeyIdentifier        = hash
keyUsage                    = critical, digitalSignature, keyEncipherment
extendedKeyUsage            = serverAuth
basicConstraints            = CA:FALSE
nsCertType                  = server
authorityKeyIdentifier      = keyid,issuer:always
crlDistributionPoints       = URI:http://crl.medium.isp/Medium_Global_Root_CA.crl
authorityInfoAccess         = OCSP;URI:http://ocsp.medium.isp

Khwelero 3. Tumizani pempho la satifiketi

Kuti muchite izi, koperani zomwe zili mufayiloyo domain.ygg.csr ndi muiike mu lemba kumunda pa malo pki.medium.isp.

Tsatirani malangizo omwe aperekedwa patsamba, kenako dinani "Submit". Ngati zikuyenda bwino, uthenga udzatumizidwa ku imelo yomwe mudatchula yomwe ili ndi cholumikizira ngati satifiketi yosainidwa ndi oyang'anira certification apakati.

Khwelero 4. Konzani seva yanu yapaintaneti

Ngati mukugwiritsa ntchito nginx ngati seva yanu yapaintaneti, gwiritsani ntchito masinthidwe awa:

file domain.ygg.conf mu directory / etc/nginx/malo omwe alipo/

server {
    listen [::]:80;
    listen [::]:443 ssl;

    root /var/www/domain.ygg;
    index index.php index.html index.htm index.nginx-debian.html;

    server_name domain.ygg;

    include snippets/domain.ygg.conf;
    include snippets/ssl-params.conf;

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt { log_not_found off; access_log off; allow all; }
    location ~* .(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        log_not_found off;
    }

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ .php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /.ht {
        deny all;
    }
}

file ssl-params.conf mu directory / etc/nginx/snippets/

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

add_header Strict-Transport-Security "max-age=15552000; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

file domain.ygg.conf mu directory / etc/nginx/snippets/

ssl_certificate /etc/ssl/certs/domain.ygg.crt;
ssl_certificate_key /etc/ssl/private/domain.ygg.key;

Satifiketi yomwe mudalandira kudzera pa imelo iyenera kukopera ku: /etc/ssl/certs/domain.ygg.crt. Chinsinsi chachinsinsi (domain.ygg.key) ikani m'ndandanda /etc/ssl/private/.

Khwelero 5. Yambitsaninso seva yanu yapaintaneti

sudo service nginx restart

Intaneti yaulere ku Russia imayamba ndi inu

Mutha kupereka chithandizo chonse chotheka pakukhazikitsa intaneti yaulere ku Russia lero. Tapanga mndandanda watsatanetsatane wa momwe mungathandizire maukonde:

• Uzani anzanu ndi anzanu za netiweki ya Medium. Gawani zolemba ku nkhaniyi pama social network kapena mabulogu anu
• Tengani nawo gawo pazokambirana zaukadaulo pa Medium network pa GitHub
• Pangani ntchito yanu yapaintaneti pa Yggdrasil network ndikuwonjezera DNS ya Medium network
• Kwezani yanu malo ofikira ku Medium network

Zam'mbuyo:

   Digest Yapakatikati pa Sabata #1 (12 - 19 Jul 2019)
   Digest Yapakatikati pa Sabata #2 (19 - 26 Jul 2019)
   Digest Yapakatikati #3 (26 Jul - 2 Aug 2019)
   Digest Yapakatikati #4 (2 - 9 Aug 2019)

Werenganinso:

Chilichonse chomwe mumafuna kudziwa za omwe amapereka intaneti pa Medium, koma amawopa kufunsa
Wokondedwa, tikupha intaneti
Decentralized Internet WOPEREKA "Medium" - patapita miyezi itatu

Tili pa Telegraph: @zapakati_isp

Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. Lowani muakauntichonde.

Kuvota kwina: ndikofunikira kuti tidziwe malingaliro a omwe alibe akaunti yonse pa Habré

• ↑

• ↓

Ogwiritsa ntchito 7 adavota. Ogwiritsa 2 adakana.

Source: www.habr.com