Chain of trust. CC BY-SA 4.0
SSL traffic yekuongorora (SSL/TLS decryption, SSL kana DPI ongororo) iri kuramba ichipisa musoro wehurukuro muchikamu chemakambani. Iro zano re decrypting traffic rinoita serinopesana neiyo chaiyo pfungwa yecryptography. Nekudaro, chokwadi chiri chokwadi: mazhinji uye akawanda makambani ari kushandisa DPI tekinoroji, achitsanangura izvi nekudiwa kwekutarisa zvirimo zvemarware, kuburitswa kwedata, nezvimwe.
Zvakanaka, kana tikabvuma chokwadi chekuti tekinoroji yakadai inofanirwa kuitwa, saka isu tinofanirwa kufunga nezve nzira dzekuzviita nenzira yakachengeteka uye inotungamirwa zvakanyanya inogoneka. Zvirinani usavimbe nezvitupa izvozvo, semuenzaniso, izvo DPI system supplier inokupa iwe.
Pane imwe nzira yekushandisa iyo isiri iyo munhu wese anoziva nezvayo. Kutaura zvazviri, vanhu vakawanda vanoshamiswa chaizvo pavanonzwa nezvazvo. Iyi inzvimbo yakazvimiririra certification (CA). Iyo inogadzira zvitupa zve decrypt uye zvakare encrypt traffic.
Panzvimbo pekuvimba nezvitupa kana zvitupa kubva kuDPI zvishandiso, unogona kushandisa yakazvitsaurira CA kubva kune wechitatu-bato retifiketi chiremera seGlobalSign. Asi kutanga, ngatiite muchidimbu dambudziko racho pacharo.
Chii chinonzi SSL chekuongorora uye nei ichishandiswa?
Mamwe mawebhusaiti eruzhinji ari kuenda kuHTTPS. Somuenzaniso, maererano , pakutanga kwaGunyana 2019, chikamu cheiyo encrypted traffic muRussia yakasvika 83%.
Nehurombo, kuvharirwa kwetraffic kuri kuwedzera kushandiswa nevanorwisa, kunyanya sezvo Let's Encrypt tichigovera zviuru zvemahara SSL zvitupa nenzira otomatiki. Nekudaro, HTTPS inoshandiswa kwese kwese - uye iyo padlock mubrowser kero bar yamira kushanda sechiratidzo chechokwadi chekuchengetedza.
Vagadziri veDPI mhinduro vanosimudzira zvigadzirwa zvavo kubva munzvimbo idzi. Iwo akaiswa pakati pevashandisi vekupedzisira (kureva kuti vashandi vako vanobhurawuza pawebhu) neInternet, vachisefa kunze kwakashata traffic. Kune akati wandei ezvigadzirwa zvakadaro pamusika nhasi, asi maitiro acho akafanana. HTTPS traffic inopfuura nemuchina chekuongorora kwainocheneswa uye kutariswa kune malware.
Kana iyo yekuongorora yapera, chishandiso chinogadzira chikamu chitsva cheSSL chine mutengi wekupedzisira kuti anyore uye kunyora zvakare zvinyorwa.
Mashandiro anoita decryption/re-encryption process
Kuti chishandiso chekuongorora cheSSL chibvise uye kunyora zvakare mapaketi isati yaatumira kumagumo evashandisi, inofanirwa kukwanisa kuburitsa zvitupa zveSSL panhunzi. Izvi zvinoreva kuti inofanirwa kunge iine CA certificate yakaiswa.
Izvo zvakakosha kukambani (kana ani zvake-pakati-pakati) kuti zvitupa zveSSL izvi zvinovimbwa nemabhurawuza (kureva, usakonzerese mameseji anotyisa senge ari pazasi). Naizvozvo iyo CA chain (kana hierarchy) inofanirwa kunge iri mubrowser trust store. Nekuti izvi zvitupa hazvina kupihwa kubva kune anovimbwa neveruzhinji zvitupa, iwe unofanirwa kugovera nemaoko iyo CA hierarchy kune vese vatengi.
Yambiro meseji yezvitupa zvega muChrome. Kwakabva:
Pamakomputa eWindows, unogona kushandisa Active Directory uye Group Policies, asi kune nharembozha maitiro acho akanyanya kuoma.
Mamiriro acho anotowedzera kuoma kana iwe uchida kutsigira mamwe midzi zvitupa munzvimbo yemakambani, semuenzaniso, kubva kuMicrosoft, kana zvichibva paOpenSSL. Uyezve dziviriro uye manejimendi emakiyi akavanzika kuitira kuti chero makiyi arege kupera nguva isingatarisirwi.
Yakanakisa sarudzo: yakavanzika, yakatsaurirwa midzi chitupa kubva kune wechitatu bato CA
Kana kubata akawanda midzi kana kuzvisaina zvitupa zvisingafadze, pane imwe sarudzo: kuvimba neyechitatu-bato CA. Muchiitiko ichi, zvitupa zvinoburitswa kubva zvakavanzika iyo CA iyo yakabatanidzwa muketani yekuvimba kune yakazvitsaurira, yakavanzika mudzi CA yakagadzirwa yakanangana nekambani.
Yakareruka dhizaini yeakazvitsaurira vatengi midzi zvitupa
Iyi setup inobvisa mamwe ematambudziko ambotaurwa: zvirinani inoderedza huwandu hwemidzi inoda kutariswa. Pano iwe unogona kushandisa imwechete yakavanzika mudzi chiremera kune zvese zvemukati PKI zvinodiwa, nechero nhamba yepakati maCA. Semuyenzaniso, dhayagiramu iri pamusoro inoratidza hutongi hwematanho akawanda apo imwe yeCAs yepakati inoshandiswa kuSSL verification/decryption uye imwe yacho inoshandiswa kumakomputa emukati (laptops, servers, desktops, etc.).
Muchigadziro ichi, hapana chikonzero chekugamuchira CA kune vese vatengi nekuti iyo yepamusoro-level CA inobatwa neGlobalSign, iyo inogadzirisa yakavanzika kiyi kuchengetedzwa uye kupera simba nyaya.
Imwe mukana weiyi nzira kugona kudzoreredza iyo SSL yekuongorora chiremera chero chikonzero. Pane kudaro, imwe itsva inongogadzirwa, iyo yakasungirirwa kumudzi wako wepakutanga, uye iwe unogona kuishandisa pakarepo.
Pasinei nekupokana kwese, mabhizinesi ari kuwedzera kuita SSL traffic yekuongorora sechikamu chemukati kana chakavanzika PKI zvivakwa. Mamwe mashandisirwo ePKI yakavanzika anosanganisira kuburitsa zvitupa zvechishandiso kana chechokwadi chemushandisi, SSL yemaseva emukati, uye akasiyana masisitimu asingatenderwe muzvitupa zvinovimbwa neveruzhinji sezvinodiwa neCA/Browser Forum.
Mabhurawuza ari kurwisa
Izvo zvinofanirwa kucherechedzwa kuti vashandisi vebrowser vari kuyedza kurwisa maitiro aya uye kuchengetedza vashandisi vekupedzisira kubva kuMiTM. Semuenzaniso, mazuva mashoma apfuura Mozilla Gonesa DoH (DNS-over-HTTPS) protocol nekukasira mune imwe yeinotevera browser shanduro muFirefox. Iyo DoH protocol inovanza DNS mibvunzo kubva kuDPI system, zvichiita kuti kuongorora SSL kunetse.
Nezve zvirongwa zvakafanana Gunyana 10, 2019 Google yeChrome browser.
Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. , Munogamuchirwa.
Iwe unofunga kuti kambani ine kodzero yekuongorora iyo SSL traffic yevashandi vayo?
-
Hongu, nemvumo yavo
-
Kwete, kukumbira mvumo yakadaro hazvisi pamutemo uye/kana hazvina kunaka
122 vashandisi vakavhota. 15 vashandisi vakaramba.
Source: www.habr.com