Kuwukira komwe kungachitike pa HTTPS ndi momwe mungatetezere kwa iwo

Theka lamasamba amagwiritsa ntchito HTTPS, ndipo chiwerengero chawo chikuchulukirachulukira. Protocol imachepetsa chiopsezo cha kutsekeka kwa magalimoto, koma sichimachotsa kuyeserera motere. Tikambirana zina mwazo - POODLE, BEAST, DROWN ndi ena - ndi njira zotetezera muzinthu zathu.

/flickr/ Sven Graeme / CC BY-SA

POODLE

Kwa nthawi yoyamba za kuwukira POODLE idadziwika mu 2014. Chiwopsezo cha protocol ya SSL 3.0 chinapezedwa ndi katswiri wazotetezedwa Bodo Möller ndi anzawo aku Google.

Zofunikira zake ndi izi: wowononga amakakamiza kasitomala kuti alumikizane kudzera pa SSL 3.0, kutsanzira zopuma zolumikizana. Kenako amafufuza mu encrypted Ndondomekoyi-magalimoto mumachitidwe apadera opatsidwa mauthenga. Pogwiritsa ntchito zopempha zabodza, wowukira amatha kupanganso zomwe zili muzokonda, monga ma cookie.

SSL 3.0 ndi protocol yachikale. Koma funso la chitetezo chake ndilofunikabe. Makasitomala amachigwiritsa ntchito kupewa zovuta zofananira ndi ma seva. Malinga ndi zina, pafupifupi 7% ya 100 zikwi malo otchuka kwambiri amathandizirabe SSL 3.0. Komanso kukhalapo zosinthidwa ku POODLE zomwe zimayang'ana TLS 1.0 ndi TLS 1.1. Chaka chino adawonekera zida zatsopano za Zombie POODLE ndi GOLDENDOODLE zomwe zimadumpha chitetezo cha TLS 1.2 (zimalumikizidwabe ndi CBC encryption).

Momwe mungadzitetezere nokha. Pankhani ya POODLE yoyambirira, muyenera kuletsa thandizo la SSL 3.0. Komabe, mu nkhani iyi pali chiopsezo ngakhale mavuto. Njira ina ikhoza kukhala njira ya TLS_FALLBACK_SCSV - imawonetsetsa kuti kusinthana kwa data kudzera pa SSL 3.0 kumangochitika ndi machitidwe akale. Owukira sangathenso kuyambitsa kutsitsa ma protocol. Njira yodzitetezera ku Zombie POODLE ndi GOLDENDOODLE ndikuyimitsa chithandizo cha CBC mu mapulogalamu a TLS 1.2. Njira yothetsera vutoli idzakhala kusintha kwa TLS 1.3 - ndondomeko yatsopanoyi sigwiritsa ntchito CBC encryption. M'malo mwake, AES yolimba kwambiri ndi ChaCha20 amagwiritsidwa ntchito.

CHIYAMBI

Chimodzi mwazowukira zoyamba pa SSL ndi TLS 1.0, zomwe zidapezeka mu 2011. Monga POODLE, BEAST amagwiritsa mawonekedwe a CBC encryption. Zigawenga zimayika JavaScript wothandizira kapena Java applet pamakina a kasitomala, zomwe zimalowa m'malo mwa mauthenga potumiza deta pa TLS kapena SSL. Popeza owukira amadziwa zomwe zili m'mapaketi a "dummy", atha kuwagwiritsa ntchito kuti asinthe mawu oyambira ndikuwerenga mauthenga ena ku seva, monga ma cookie otsimikizika.

Kuyambira lero, chiwopsezo cha BEAST chidakalipo zida zingapo za netiweki zitha kutengeka: Ma seva a proxy ndi mapulogalamu oteteza zipata zapaintaneti zapafupi.

Momwe mungadzitetezere nokha. Wowukirayo akuyenera kutumiza zopempha pafupipafupi kuti achotse deta. Mu VMware lembani chepetsani nthawi ya SSLSessionCacheTimeout kuchoka pa mphindi zisanu (malingaliro okhazikika) mpaka masekondi 30. Njirayi idzapangitsa kuti zikhale zovuta kwa omwe akuukira kuti akwaniritse zolinga zawo, ngakhale kuti zidzakhala ndi zotsatira zoipa pa ntchito. Kuphatikiza apo, muyenera kumvetsetsa kuti chiwopsezo cha BEAST posakhalitsa chikhala chinthu chakale chokha - kuyambira 2020, asakatuli akulu kwambiri. Imani kuthandizira kwa TLS 1.0 ndi 1.1. Mulimonsemo, osakwana 1,5% mwa ogwiritsa ntchito osatsegula amagwira ntchito ndi ma protocol awa.

AMAMERA

Uku ndikuwukira kwapadziko lonse komwe kumagwiritsa ntchito zolakwika pakukhazikitsa SSLv2 yokhala ndi makiyi a 40-bit RSA. Wowukirayo amamvera mazana a ma TLS olumikizana ndi chandamale ndikutumiza mapaketi apadera ku seva ya SSLv2 pogwiritsa ntchito kiyi yachinsinsi yomweyo. Kugwiritsa Bleichenbacher kuukira, wobera amatha kubisa imodzi mwa magawo pafupifupi chikwi a TLS.

DROWN idadziwika koyamba mu 2016 - ndiye zidakhaladi gawo limodzi mwa magawo atatu a ma seva amakhudzidwa mdziko lapansi. Lero sizinataye kufunika kwake. Pamasamba 150 odziwika kwambiri, 2% akadali chithandizo SSLv2 ndi njira zobisika zosatetezeka.

Momwe mungadzitetezere nokha. Ndikofunikira kukhazikitsa zigamba zoperekedwa ndi omwe akupanga malaibulale achinsinsi omwe amalepheretsa thandizo la SSLv2. Mwachitsanzo, zigamba ziwiri zotere zidaperekedwa ku OpenSSL (mu 2016 izi zinali zosintha 1.0.1s ndi 1.0.2g). Komanso, zosintha ndi malangizo oletsa protocol omwe ali pachiwopsezo adasindikizidwa Red Hat, Apache, Debian.

"Chinthu chikhoza kukhala pachiwopsezo cha DROWN ngati makiyi ake agwiritsidwa ntchito ndi seva yachitatu yokhala ndi SSLv2, monga seva yamakalata," akutero mkulu wa dipatimenti yachitukuko. Wopereka IaaS 1cloud.ru Sergei Belkin. - Izi zimachitika ngati ma seva angapo amagwiritsa ntchito satifiketi wamba ya SSL. Pankhaniyi, muyenera kuletsa thandizo la SSLv2 pamakina onse."

Mutha kuwona ngati makina anu akufunika kusinthidwa pogwiritsa ntchito yapadera zofunikira - idapangidwa ndi akatswiri achitetezo azidziwitso omwe adapeza DROWN. Mutha kuwerenga zambiri za malingaliro okhudzana ndi chitetezo ku mtundu uwu wa kuukira positi patsamba la OpenSSL.

Zachisoni

Chimodzi mwazovuta zazikulu zamapulogalamu ndi Zachisoni. Idapezeka mu 2014 mu library ya OpenSSL. Pa nthawi yolengeza za cholakwika, kuchuluka kwa mawebusayiti omwe ali pachiwopsezo anayerekezera theka la milioni - izi ndi pafupifupi 17% ya zinthu zotetezedwa pa intaneti.

Kuwukiraku kumachitika kudzera mu gawo laling'ono la Heartbeat TLS. Protocol ya TLS imafuna kuti deta ifalitsidwe mosalekeza. Pakakhala nthawi yayitali, kupuma kumachitika ndipo kulumikizana kuyenera kukhazikitsidwanso. Kuti athane ndi vutoli, ma seva ndi makasitomala amangopanga "phokoso" panjira (RFC 6520, p.5), kutumiza paketi yautali mwachisawawa. Ngati inali yayikulu kuposa paketi yonse, ndiye kuti mitundu yosatetezeka ya OpenSSL idawerenga kukumbukira kupitilira buffer yomwe idaperekedwa. Derali litha kukhala ndi data iliyonse, kuphatikiza makiyi achinsinsi komanso zambiri zamalumikizidwe ena.

Chiwopsezocho chinalipo m'mitundu yonse ya laibulale pakati pa 1.0.1 ndi 1.0.1f kuphatikiza, komanso pamakina angapo ogwiritsira ntchito - Ubuntu mpaka 12.04.4, CentOS wamkulu kuposa 6.5, OpenBSD 5.3 ndi ena. Pali mndandanda wathunthu pa webusayiti yoperekedwa kwa Heartbleed. Ngakhale zigamba zotsutsana ndi chiwopsezozi zidatulutsidwa posachedwa zitapezeka, vutoli lidakalipobe mpaka pano. Kubwerera ku 2017 pafupifupi 200 zikwi malo ntchito, wogwidwa ndi Heartbleed.

Momwe mungadzitetezere nokha. Ndikofunikira sinthani OpenSSL mpaka 1.0.1g kapena kupitilira apo. Mukhozanso kuletsa zopempha za Heartbeat pamanja pogwiritsa ntchito njira ya DOPENSSL_NO_HEARTBEATS. Pambuyo pakusintha, akatswiri achitetezo azidziwitso lembani perekaninso ziphaso za SSL. M'malo mwake ndikofunikira ngati zomwe zili pamakiyi obisa zitha kukhala m'manja mwa obera.

Kulowetsa satifiketi

Node yoyendetsedwa yokhala ndi satifiketi yovomerezeka ya SSL imayikidwa pakati pa wogwiritsa ntchito ndi seva, kuletsa mwachangu magalimoto. Node iyi imatengera seva yovomerezeka popereka satifiketi yovomerezeka, ndipo zimakhala zotheka kuchita MITM kuwukira.

Malingana ndi kafukufuku magulu ochokera ku Mozilla, Google ndi mayunivesite angapo, pafupifupi 11% ya kulumikizana kotetezeka pamanetiweki amamvedwa. Izi ndi zotsatira za kuyika ziphaso zokayikitsa za mizu pamakompyuta a ogwiritsa ntchito.

Momwe mungadzitetezere nokha. Gwiritsani ntchito ntchito zodalirika Wopereka SSL. Mutha kuyang'ana "zabwino" zamasatifiketi pogwiritsa ntchito ntchitoyi Satifiketi Yowonekera (CT). Othandizira pamtambo amathanso kuthandizira pakuzindikira; makampani ena akuluakulu amapereka kale zida zapadera zowunikira ma TLS.

Njira ina yodzitetezera idzakhala yatsopano muyezo ACME, yomwe imapanga chiphaso cha ziphaso za SSL. Panthawi imodzimodziyo, idzawonjezera njira zowonjezera kuti zitsimikizire mwiniwake wa malowa. Zambiri za izo tinalemba m'modzi mwa zida zathu zam'mbuyomu.

/flickr/ Yuri Samoilov / CC BY

Chiyembekezo cha HTTPS

Ngakhale pali zofooka zingapo, zimphona za IT ndi akatswiri achitetezo azidziwitso ali ndi chidaliro mtsogolo mwa protocol. Kuti mugwiritse ntchito HTTPS oyimira Wopanga WWW Tim Berners-Lee. Malinga ndi iye, pakapita nthawi TLS idzakhala yotetezeka kwambiri, zomwe zidzasintha kwambiri chitetezo cha maulumikizidwe. Berners-Lee ananenanso zimenezo zidzawonekera mtsogolomu ziphaso za kasitomala kuti zitsimikizidwe. Athandizira kukonza chitetezo cha seva kwa omwe akuwukira.

Ikukonzekeranso kupanga ukadaulo wa SSL/TLS pogwiritsa ntchito makina ophunzirira - ma aligorivimu anzeru adzakhala ndi udindo wosefa magalimoto oyipa. Ndi maulumikizidwe a HTTPS, olamulira alibe njira yodziwira zomwe zili mu mauthenga obisika, kuphatikiza kuzindikira zopempha kuchokera ku pulogalamu yaumbanda. Kale lero, ma neural network amatha kusefa mapaketi omwe angakhale oopsa ndi 90% molondola. (chiwonetsero chazithunzi 23).

anapezazo

Zowukira zambiri pa HTTPS sizimakhudzana ndi zovuta ndi protocol yokha, koma kuthandizira njira zolembera zakale. Makampani a IT akuyamba kusiya pang'onopang'ono ma protocol am'badwo wam'mbuyomu ndikupereka zida zatsopano zofufuzira zofooka. M'tsogolomu, zida izi zidzakhala zanzeru kwambiri.

Maulalo owonjezera pamutuwu:

• Kukula mumtambo, chitetezo chazidziwitso ndi zidziwitso zanu: digest kuchokera ku 1cloud
• Digest ya SSL: Zida zabwino kwambiri pa Habré ndi zina zambiri
• Digest ya VPN: Zolemba zoyambira pa Habré ndi zina zambiri

Source: www.habr.com