Theka lamasamba , ndipo chiwerengero chawo chikuchulukirachulukira. Protocol imachepetsa chiopsezo cha kutsekeka kwa magalimoto, koma sichimachotsa kuyeserera motere. Tikambirana zina mwazo - POODLE, BEAST, DROWN ndi ena - ndi njira zotetezera muzinthu zathu.
/flickr/ / CC BY-SA
POODLE
Kwa nthawi yoyamba za kuwukira idadziwika mu 2014. Chiwopsezo cha protocol ya SSL 3.0 chinapezedwa ndi katswiri wazotetezedwa Bodo MΓΆller ndi anzawo aku Google.
Zofunikira zake ndi izi: wowononga amakakamiza kasitomala kuti alumikizane kudzera pa SSL 3.0, kutsanzira zopuma zolumikizana. Kenako amafufuza mu encrypted -magalimoto mumachitidwe apadera opatsidwa mauthenga. Pogwiritsa ntchito zopempha zabodza, wowukira amatha kupanganso zomwe zili muzokonda, monga ma cookie.
SSL 3.0 ndi protocol yachikale. Koma funso la chitetezo chake ndilofunikabe. Makasitomala amachigwiritsa ntchito kupewa zovuta zofananira ndi ma seva. Malinga ndi zina, pafupifupi 7% ya 100 zikwi malo otchuka kwambiri . Komanso zosinthidwa ku POODLE zomwe zimayang'ana TLS 1.0 ndi TLS 1.1. Chaka chino zida zatsopano za Zombie POODLE ndi GOLDENDOODLE zomwe zimadumpha chitetezo cha TLS 1.2 (zimalumikizidwabe ndi CBC encryption).
Momwe mungadzitetezere nokha. Pankhani ya POODLE yoyambirira, muyenera kuletsa thandizo la SSL 3.0. Komabe, mu nkhani iyi pali chiopsezo ngakhale mavuto. Njira ina ikhoza kukhala njira ya TLS_FALLBACK_SCSV - imawonetsetsa kuti kusinthana kwa data kudzera pa SSL 3.0 kumangochitika ndi machitidwe akale. Owukira sangathenso kuyambitsa kutsitsa ma protocol. Njira yodzitetezera ku Zombie POODLE ndi GOLDENDOODLE ndikuyimitsa chithandizo cha CBC mu mapulogalamu a TLS 1.2. Njira yothetsera vutoli idzakhala kusintha kwa TLS 1.3 - ndondomeko yatsopanoyi sigwiritsa ntchito CBC encryption. M'malo mwake, AES yolimba kwambiri ndi ChaCha20 amagwiritsidwa ntchito.
CHIYAMBI
Chimodzi mwazowukira zoyamba pa SSL ndi TLS 1.0, zomwe zidapezeka mu 2011. Monga POODLE, BEAST mawonekedwe a CBC encryption. Zigawenga zimayika JavaScript wothandizira kapena Java applet pamakina a kasitomala, zomwe zimalowa m'malo mwa mauthenga potumiza deta pa TLS kapena SSL. Popeza owukira amadziwa zomwe zili m'mapaketi a "dummy", atha kuwagwiritsa ntchito kuti asinthe mawu oyambira ndikuwerenga mauthenga ena ku seva, monga ma cookie otsimikizika.
Kuyambira lero, chiwopsezo cha BEAST chidakalipo : Ma seva a proxy ndi mapulogalamu oteteza zipata zapaintaneti zapafupi.
Momwe mungadzitetezere nokha. Wowukirayo akuyenera kutumiza zopempha pafupipafupi kuti achotse deta. Mu VMware chepetsani nthawi ya SSLSessionCacheTimeout kuchoka pa mphindi zisanu (malingaliro okhazikika) mpaka masekondi 30. Njirayi idzapangitsa kuti zikhale zovuta kwa omwe akuukira kuti akwaniritse zolinga zawo, ngakhale kuti zidzakhala ndi zotsatira zoipa pa ntchito. Kuphatikiza apo, muyenera kumvetsetsa kuti chiwopsezo cha BEAST posakhalitsa chikhala chinthu chakale chokha - kuyambira 2020, asakatuli akulu kwambiri. kuthandizira kwa TLS 1.0 ndi 1.1. Mulimonsemo, osakwana 1,5% mwa ogwiritsa ntchito osatsegula amagwira ntchito ndi ma protocol awa.
AMAMERA
Uku ndikuwukira kwapadziko lonse komwe kumagwiritsa ntchito zolakwika pakukhazikitsa SSLv2 yokhala ndi makiyi a 40-bit RSA. Wowukirayo amamvera mazana a ma TLS olumikizana ndi chandamale ndikutumiza mapaketi apadera ku seva ya SSLv2 pogwiritsa ntchito kiyi yachinsinsi yomweyo. Kugwiritsa , wobera amatha kubisa imodzi mwa magawo pafupifupi chikwi a TLS.
DROWN idadziwika koyamba mu 2016 - ndiye zidakhaladi mdziko lapansi. Lero sizinataye kufunika kwake. Pamasamba 150 odziwika kwambiri, 2% akadali SSLv2 ndi njira zobisika zosatetezeka.
Momwe mungadzitetezere nokha. Ndikofunikira kukhazikitsa zigamba zoperekedwa ndi omwe akupanga malaibulale achinsinsi omwe amalepheretsa thandizo la SSLv2. Mwachitsanzo, zigamba ziwiri zotere zidaperekedwa ku OpenSSL (mu 2016 1.0.1s ndi 1.0.2g). Komanso, zosintha ndi malangizo oletsa protocol omwe ali pachiwopsezo adasindikizidwa , , .
"Chinthu chikhoza kukhala pachiwopsezo cha DROWN ngati makiyi ake agwiritsidwa ntchito ndi seva yachitatu yokhala ndi SSLv2, monga seva yamakalata," akutero mkulu wa dipatimenti yachitukuko. Sergei Belkin. - Izi zimachitika ngati ma seva angapo amagwiritsa ntchito satifiketi wamba ya SSL. Pankhaniyi, muyenera kuletsa thandizo la SSLv2 pamakina onse."
Mutha kuwona ngati makina anu akufunika kusinthidwa pogwiritsa ntchito yapadera - idapangidwa ndi akatswiri achitetezo azidziwitso omwe adapeza DROWN. Mutha kuwerenga zambiri za malingaliro okhudzana ndi chitetezo ku mtundu uwu wa kuukira .
Zachisoni
Chimodzi mwazovuta zazikulu zamapulogalamu ndi . Idapezeka mu 2014 mu library ya OpenSSL. Pa nthawi yolengeza za cholakwika, kuchuluka kwa mawebusayiti omwe ali pachiwopsezo - izi ndi pafupifupi 17% ya zinthu zotetezedwa pa intaneti.
Kuwukiraku kumachitika kudzera mu gawo laling'ono la Heartbeat TLS. Protocol ya TLS imafuna kuti deta ifalitsidwe mosalekeza. Pakakhala nthawi yayitali, kupuma kumachitika ndipo kulumikizana kuyenera kukhazikitsidwanso. Kuti athane ndi vutoli, ma seva ndi makasitomala amangopanga "phokoso" panjira (), kutumiza paketi yautali mwachisawawa. Ngati inali yayikulu kuposa paketi yonse, ndiye kuti mitundu yosatetezeka ya OpenSSL idawerenga kukumbukira kupitilira buffer yomwe idaperekedwa. Derali litha kukhala ndi data iliyonse, kuphatikiza makiyi achinsinsi komanso zambiri zamalumikizidwe ena.
Chiwopsezocho chinalipo m'mitundu yonse ya laibulale pakati pa 1.0.1 ndi 1.0.1f kuphatikiza, komanso pamakina angapo ogwiritsira ntchito - Ubuntu mpaka 12.04.4, CentOS wamkulu kuposa 6.5, OpenBSD 5.3 ndi ena. Pali mndandanda wathunthu . Ngakhale zigamba zotsutsana ndi chiwopsezozi zidatulutsidwa posachedwa zitapezeka, vutoli lidakalipobe mpaka pano. Kubwerera ku 2017 , wogwidwa ndi Heartbleed.
Momwe mungadzitetezere nokha. Ndikofunikira mpaka 1.0.1g kapena kupitilira apo. Mukhozanso kuletsa zopempha za Heartbeat pamanja pogwiritsa ntchito njira ya DOPENSSL_NO_HEARTBEATS. Pambuyo pakusintha, akatswiri achitetezo azidziwitso perekaninso ziphaso za SSL. M'malo mwake ndikofunikira ngati zomwe zili pamakiyi obisa zitha kukhala m'manja mwa obera.
Kulowetsa satifiketi
Node yoyendetsedwa yokhala ndi satifiketi yovomerezeka ya SSL imayikidwa pakati pa wogwiritsa ntchito ndi seva, kuletsa mwachangu magalimoto. Node iyi imatengera seva yovomerezeka popereka satifiketi yovomerezeka, ndipo zimakhala zotheka kuchita MITM kuwukira.
Malingana ndi magulu ochokera ku Mozilla, Google ndi mayunivesite angapo, pafupifupi 11% ya kulumikizana kotetezeka pamanetiweki amamvedwa. Izi ndi zotsatira za kuyika ziphaso zokayikitsa za mizu pamakompyuta a ogwiritsa ntchito.
Momwe mungadzitetezere nokha. Gwiritsani ntchito ntchito zodalirika . Mutha kuyang'ana "zabwino" zamasatifiketi pogwiritsa ntchito ntchitoyi (CT). Othandizira pamtambo amathanso kuthandizira pakuzindikira; makampani ena akuluakulu amapereka kale zida zapadera zowunikira ma TLS.
Njira ina yodzitetezera idzakhala yatsopano ACME, yomwe imapanga chiphaso cha ziphaso za SSL. Panthawi imodzimodziyo, idzawonjezera njira zowonjezera kuti zitsimikizire mwiniwake wa malowa. Zambiri za izo .
/flickr/ / CC BY
Chiyembekezo cha HTTPS
Ngakhale pali zofooka zingapo, zimphona za IT ndi akatswiri achitetezo azidziwitso ali ndi chidaliro mtsogolo mwa protocol. Kuti mugwiritse ntchito HTTPS Wopanga WWW Tim Berners-Lee. Malinga ndi iye, pakapita nthawi TLS idzakhala yotetezeka kwambiri, zomwe zidzasintha kwambiri chitetezo cha maulumikizidwe. Berners-Lee ananenanso zimenezo ziphaso za kasitomala kuti zitsimikizidwe. Athandizira kukonza chitetezo cha seva kwa omwe akuwukira.
Ikukonzekeranso kupanga ukadaulo wa SSL/TLS pogwiritsa ntchito makina ophunzirira - ma aligorivimu anzeru adzakhala ndi udindo wosefa magalimoto oyipa. Ndi maulumikizidwe a HTTPS, olamulira alibe njira yodziwira zomwe zili mu mauthenga obisika, kuphatikiza kuzindikira zopempha kuchokera ku pulogalamu yaumbanda. Kale lero, ma neural network amatha kusefa mapaketi omwe angakhale oopsa ndi 90% molondola. ().
anapezazo
Zowukira zambiri pa HTTPS sizimakhudzana ndi zovuta ndi protocol yokha, koma kuthandizira njira zolembera zakale. Makampani a IT akuyamba kusiya pang'onopang'ono ma protocol am'badwo wam'mbuyomu ndikupereka zida zatsopano zofufuzira zofooka. M'tsogolomu, zida izi zidzakhala zanzeru kwambiri.
Maulalo owonjezera pamutuwu:
Source: www.habr.com