Pakutanga kwegore, mumushumo wematambudziko eInternet uye kuwanikwa kwe2018-2019. kuti kupararira kweTLS 1.3 hakudzivisiki. Imwe nguva yapfuura, isu pachedu takaisa vhezheni 1.3 yeTransport Layer Security protocol uye, mushure mekuunganidza nekuongorora data, isu takagadzirira kutaura nezve maficha eiyi shanduko.
IETF TLS Working Group Chairs :
"Muchidimbu, TLS 1.3 inofanirwa kupa hwaro hweInternet yakachengeteka uye inoshanda kwemakore makumi maviri anotevera."
Development yakatora makore gumi. Isu paQrator Labs, pamwe chete nedzimwe indasitiri, takanyatso kuteedzera nzira yekugadzira protocol kubva pakunyorwa kwekutanga. Munguva iyi, zvaive zvakafanira kunyora makumi maviri nesere akateedzana shanduro kuitira kuti pakupedzisira uone mwenje weiyo yakaenzana uye iri nyore kuendesa protocol muna 10. Iyo inoshanda yemusika tsigiro yeTLS 28 yatove pachena: kuisirwa kweyakaratidza uye yakavimbika chengetedzo protocol inosangana nezvinodiwa zvenguva.
Maererano naEric Rescorla (Firefox CTO uye ega munyori weTLS 1.3) :
"Uku kutsiva kwakazara kweTLS 1.2, uchishandisa makiyi uye zvitupa zvakafanana, saka mutengi neserver vanogona kutaurirana pamusoro peTLS 1.3 kana vese vakaitsigira," akadaro. "Patove nerutsigiro rwakanaka padanho reraibhurari, uye Chrome neFirefox inogonesa TLS 1.3 nekukasira."
Mukufanana, TLS iri kupera muboka rekushanda reIETF , ichizivisa shanduro dzekare dzeTLS (tisingasanganisire TLS 1.2 chete) hadzichashandi uye hadzichashandiswi. Zvingangodaro, iyo RFC yekupedzisira ichaburitswa zhizha risati rapera. Ichi chimwe chiratidzo kune iyo IT indasitiri: kuvandudza encryption protocol haifanirwe kunonoka.
Rondedzero yeazvino TLS 1.3 mashandisirwo inowanikwa paGithub kune chero anotsvaga raibhurari yakakodzera kwazvo: . Zviri pachena kuti kugamuchirwa uye kutsigirwa kweprotocol yakagadziridzwa ichave-uye yatove-ichifambira mberi nekukurumidza. Kunzwisisa kuti encryption yakakosha sei munyika yanhasi yakapararira zvakanyanya.
Chii chakachinja kubva TLS 1.2?
Of :
“TLS 1.3 inoita sei kuti nyika ive nzvimbo iri nani?
TLS 1.3 inosanganisira mamwe mabhenefiti ehunyanzvi - senge akarerutsirwa ekubata maoko maitiro kuti amisikidze yakachengeteka yekubatanidza - uye zvakare inobvumira vatengi kuti vakurumidze kutangazve maseva nemaseva. Aya matanho anoitirwa kudzikisa yekubatanidza kuseta latency uye kutadza kwekubatanidza pane zvisina kusimba zvinongedzo, izvo zvinowanzo shandiswa sechikonzero chekupa chete isina kuvharirwa HTTP kubatana.
Zvakatonyanya kukosha, inobvisa tsigiro yenhaka yakati wandei uye kusachengeteka encryption uye hashing algorithms ichiri kubvumidzwa (kunyangwe isingakurudzirwe) kuti ishandiswe neshanduro dzekare dzeTLS, kusanganisira SHA-1, MD5, DES, 3DES, uye AES-CBC. kuwedzera rutsigiro rwema cipher suites matsva. Zvimwe zvigadziriso zvinosanganisira zvimwe zvakavharidzirwa zvekubata maoko (semuenzaniso, kuchinjana kweruzivo rwechitupa ikozvino kwakavharidzirwa) kudzikisa huwandu hwezviratidzo kune angangoita traffic traffic, pamwe nekuvandudzwa kwekutumira zvakavanzika kana uchishandisa mamwe makiyi ekutsinhana modhi kuitira kuti kutaurirana. nguva dzese dzinofanirwa kuramba dzakachengeteka kunyangwe maalgorithms anoshandiswa kuivharira akakanganiswa mune ramangwana. "
Kuvandudzwa kwemaprotocol emazuva ano uye DDoS
Sezvaungave watoverenga, panguva yekuvandudzwa kweprotocol , muboka rekushanda reIETF TLS . Izvozvi zviri pachena kuti mabhizinesi ega ega (kusanganisira masangano emari) achafanirwa kuchinja nzira yaanochengetedza netiweki yavo kuitira kuti vakwanise kugarisa iyo protocol ikozvino yakavakirwa-mukati. .
Zvikonzero nei izvi zvingadikanwa zvakanyorwa mugwaro, . Iro 20-peji bepa rinotaura mienzaniso yakati wandei apo bhizinesi ringangoda kubvisa kunze-kwe-bhendi traffic (iyo isingabvumidzwe nePFS) yekutarisa, kutevedzera kana application layer (L7) DDoS dziviriro zvinangwa.
Nepo isu tisina kugadzirira kufungidzira pamusoro pezvinodikanwa zvekutonga, yedu proprietary DDoS kuderedza chigadzirwa (kusanganisira mhinduro inonzwisisika uye / kana ruzivo rwechakavanzika) yakagadzirwa muna 2012 ichitora PFS, saka vatengi vedu uye vatinoshanda navo vaisada kuita shanduko kune yavo zvivakwa mushure mekugadzirisa shanduro yeTLS padivi reseva.
Zvakare, kubva pakuitwa, hapana matambudziko ane chekuita nekutakura encryption akaonekwa. Zviri pamutemo: TLS 1.3 yakagadzirira kugadzirwa.
Nekudaro, pachine dambudziko rakabatana nekuvandudzwa kwechizvarwa chinotevera protocol. Dambudziko nderekuti kufambira mberi kweprotocol muIETF kunowanzoenderana nekutsvagisa kwedzidzo, uye mamiriro ekutsvagisa kwedzidzo mundima yekuderedza kuparadzirwa kwekuramba-sevhisi kurwiswa kwakashata.
Saka, muenzaniso wakanaka ungave Iyo IETF dhizaini "QUIC Manageability," chikamu cheinotevera QUIC protocol suite, inotaura kuti "nzira dzemazuvano dzekuona nekudzikisa [DDoS kurwiswa] dzinowanzo sanganisira kuyera kusingaite uchishandisa network kuyerera data."
Iyo yekupedzisira, kutaura zvazviri, isingawanzo kuwanikwa munzvimbo dzemabhizinesi chaiwo (uye inongoshanda zvishoma kune ISPs), uye chero zvazvingaite hazvigone kuve "nyaya yakajairwa" munyika chaiyo - asi inogara ichionekwa muzvinyorwa zvesainzi, kazhinji isingatsigirwi. nekuyedza iyo yese spectrum yekugona DDoS kurwiswa, kusanganisira application level kurwiswa. Iyo yekupedzisira, nekuda kweinenge kutumirwa kwepasirese kweTLS, zviri pachena kuti haigone kuwonekwa nekuyerwa kusingaite kwetiweki mapaketi uye kuyerera.
Saizvozvo, isu hatisati taziva kuti DDoS yekudzikisa hardware vatengesi vanozoenderana sei nezviri kuitika zveTLS 1.3. Nekuda kwekuoma kwehunyanzvi hwekutsigira kunze-kwe-bhendi protocol, kukwidziridzwa kunogona kutora nguva.
Kuisa zvibodzwa zvakanaka zvekutungamira kutsvagisa idambudziko rakakura kune DDoS yekudzikisa masevhisi vanopa. Imwe nzvimbo iyo budiriro inogona kutanga ndeye kuIRTF, uko vaongorori vanogona kubatana neindasitiri kunatsa ruzivo rwavo rweindasitiri yakaoma uye kuongorora nzira nyowani dzekutsvagisa. Isu tinopawo kugashira noushamwari kune vese vaongorori, kana paine - tinogona kubatika nemibvunzo kana mazano ane chekuita netsvakurudzo yeDDoS kana boka rekutsvakurudza reSMART pa.
Source: www.habr.com