Kampani ya Mozilla za kuyamba kuyesa pakumanga kwa Firefox usiku njira yatsopano yodziwira ziphaso zochotsedwa - . CRLite imakulolani kuti mukonzekere kufufuzidwa koyenera kwa satifiketi motsutsana ndi nkhokwe yosungidwa pamakina a ogwiritsa ntchito. Kukhazikitsa kwa CRLite kwa Mozilla pansi pa chilolezo chaulere cha MPL 2.0. Khodi yopangira database ndi zigawo za seva zalembedwamo ndi Pitani. Magawo amakasitomala adawonjezedwa ku Firefox kuti awerenge zambiri kuchokera munkhokwe m'chinenero cha Rust.
Kutsimikizira satifiketi pogwiritsa ntchito mautumiki akunja kutengera protocol yomwe ikugwiritsidwabe ntchito (Online Certificate Status Protocol) imafuna mwayi wotsimikizika wa netiweki, kumabweretsa kuchedwa kwakukulu pakufunsira (350ms pafupifupi) ndipo imakhala ndi zovuta pakuwonetsetsa chinsinsi (maseva a OCSP omwe akuyankha zopempha alandila zidziwitso za satifiketi inayake, yomwe ingagwiritsidwe ntchito kuweruza ngati masamba omwe wogwiritsa ntchito amatsegula). Palinso kuthekera koyang'ana kwanuko motsutsana ndi mindandanda (Mndandanda Wochotsa Satifiketi), koma kuipa kwa njirayi ndi kukula kwakukulu kwa zomwe zidatsitsidwa - pakadali pano nkhokwe ya satifiketi yochotsedwa imakhala pafupifupi 300 MB ndipo kukula kwake kukupitilira.
Kuti aletse ziphaso zomwe zasokonezedwa ndikuchotsedwa ndi oyang'anira certification, Firefox yagwiritsa ntchito mndandanda wapakati kuyambira 2015. kuphatikiza ndi kuyitanira ku ntchito kuzindikira zochita zoipa zomwe zingatheke. OneCRL, monga mu Chrome, imagwira ntchito ngati ulalo wapakatikati womwe umaphatikiza mindandanda ya CRL kuchokera kwa oyang'anira certification ndikupereka ntchito imodzi yapakati ya OCSP yoyang'ana ziphaso zomwe zathetsedwa, zomwe zimapangitsa kuti asatumize zopempha mwachindunji kwa oyang'anira ziphaso. Ngakhale pali ntchito yambiri yopititsa patsogolo kudalirika kwa ntchito yotsimikizira satifiketi yapaintaneti, data ya telemetry ikuwonetsa kuti zopitilira 7% za OCSP zopempha zatha (zaka zingapo zapitazo chiwerengerochi chinali 15%).
Mwachikhazikitso, ngati sikutheka kutsimikizira kudzera pa OCSP, msakatuli amawona kuti satifiketi ndiyovomerezeka. Ntchitoyi ikhoza kukhala yosapezeka chifukwa cha zovuta zamaukonde ndi zoletsa pamanetiweki amkati, kapena kutsekedwa ndi omwe akuwukira - kudutsa cheke cha OCSP pakuwukira kwa MITM, kungotsekereza mwayi wopita ku cheke. Njira ina yakhazikitsidwa pofuna kupewa kuukira kotereku , zomwe zimakupatsani mwayi wowona cholakwika chofikira pa OCSP kapena kusapezeka kwa OCSP ngati vuto ndi satifiketi, koma izi ndizosankha ndipo zimafunikira kulembetsa mwapadera kwa satifiketi.
CRLite imakulolani kuti muphatikize zambiri za satifiketi zonse zomwe zathetsedwa kukhala zosinthidwa mosavuta, kukula kwake ndi 1 MB, zomwe zimapangitsa kuti zitheke kusunga nkhokwe yathunthu ya CRL kumbali ya kasitomala.
Msakatuli azitha kulunzanitsa kopi yake ya zidziwitso za satifiketi zochotsedwa tsiku lililonse, ndipo nkhokwe iyi ipezeka zivute zitani.
CRLite imaphatikiza zambiri kuchokera , chipika chapagulu cha ziphaso zonse zoperekedwa ndi kuchotsedwa, ndi zotsatira za satifiketi yojambulira pa intaneti (mindandanda yosiyanasiyana ya CRL ya maulamuliro a ziphaso imasonkhanitsidwa ndipo zambiri za satifiketi zonse zodziwika zimaphatikizidwa). Deta imapakidwa pogwiritsa ntchito cascading , kamangidwe kake kamene kamalola kudziwika kwabodza kwa chinthu chomwe chikusowa, koma osaphatikizapo kuchotsedwa kwa chinthu chomwe chilipo (i.e., ndi chotheka china, chitsimikiziro chabodza cha satifiketi yolondola ndi chotheka, koma ziphaso zothetsedwa zimatsimikiziridwa kuti zizindikirika).
Kuti athetse zolakwa zabodza, CRLite yabweretsa zosefera zina zowonjezera. Pambuyo popanga mapangidwewo, zolemba zonse zoyambira zimafufuzidwa ndipo zolakwika zilizonse zabodza zimazindikiridwa. Kutengera zotsatira za chekechi, chowonjezera chowonjezera chimapangidwa, chomwe chimatsitsidwa pachoyamba ndikukonza zolakwikazo. Opaleshoniyo imabwerezedwa mpaka zizindikiro zabodza panthawi yoyang'anira zithetsedwe. Childs, kupanga 7-10 zigawo ndi zokwanira kuphimba kwathunthu deta onse. Popeza momwe malo osungirako zinthu zakale, chifukwa cha kulumikizidwa kwanthawi ndi nthawi, kumatsalira pang'ono kumbuyo kwa CRL yomwe ilipo, kuyang'ana ziphaso zatsopano zomwe zatulutsidwa pambuyo pakusintha komaliza kwa database ya CRLite kumachitika pogwiritsa ntchito protocol ya OCSP, kuphatikiza kugwiritsa ntchito (yankho la OCSP lotsimikiziridwa ndi akuluakulu a certification limaperekedwa ndi seva yomwe ikutumizira tsambalo pokambirana ndi TLS).
Pogwiritsa ntchito zosefera za Bloom, chidutswa chazidziwitso cha Disembala kuchokera ku WebPKI, chokhala ndi ziphaso zogwira ntchito miliyoni 100 ndi ziphaso 750 zochotsedwa, zidatha kudzazidwa mumtundu wa 1.3 MB kukula. Njira yopangira mapangidwe ndizovuta kwambiri, koma imachitika pa seva ya Mozilla ndipo wogwiritsa ntchito amapatsidwa zosintha zokonzeka. Mwachitsanzo, mu mawonekedwe a binary, gwero lachidziwitso lomwe limagwiritsidwa ntchito panthawi yobadwa limafuna pafupifupi 16 GB ya kukumbukira ikasungidwa mu Redis DBMS, ndipo mu mawonekedwe a hexadecimal, kutaya kwa nambala zonse za setifiketi kumatenga pafupifupi 6.7 GB. Njira yophatikizira ziphaso zonse zochotsedwa komanso zogwira ntchito zimatenga pafupifupi mphindi 40, ndipo kupanga mapangidwe opangidwa motengera Bloom fyuluta kumatenga mphindi 20.
Mozilla pakadali pano ikuwonetsetsa kuti nkhokwe ya CRLite imasinthidwa kanayi patsiku (osati zosintha zonse zimaperekedwa kwa makasitomala). Kupanga zosintha za delta sikunakhazikitsidwebe - kugwiritsa ntchito bsdiff4, yomwe imagwiritsidwa ntchito popanga zosintha za delta kuti itulutsidwe, sizipereka mphamvu zokwanira za CRLite ndipo zosinthazo ndi zazikulu mopanda tanthauzo. Kuti athetse vutoli, akukonzekera kukonzanso mawonekedwe a malo osungirako kuti athetse kumangidwanso kosafunikira ndi kuchotsa zigawo.
CRLite pakali pano ikugwira ntchito mu Firefox mumayendedwe osavuta ndipo imagwiritsidwa ntchito limodzi ndi OCSP kuti iwunjikire ziwerengero za ntchito yolondola. CRLite ikhoza kusinthidwa kukhala main scan mode; kuti muchite izi, muyenera kukhazikitsa parameter security.pki.crlite_mode = 2 in about:config.
Source: opennet.ru