ProHoster > Blog > Utongi > Zvinogona kurwisa HTTPS uye maitiro ekudzivirira kubva kwavari

Zvinogona kurwisa HTTPS uye maitiro ekudzivirira kubva kwavari

Hafu yemasaiti inoshandisa HTTPS, uye nhamba yavo iri kuramba ichiwedzera. Iyo protocol inoderedza njodzi yekubatwa kwetraffic, asi haibvisi kuedza kurwiswa sekudaro. Tichataura nezve mamwe acho - POODLE, BEAST, DROWN uye mamwe - uye nzira dzekudzivirira mune yedu zvinhu.

Zvinogona kurwisa HTTPS uye maitiro ekudzivirira kubva kwavari
/flickr/ Sven Graeme / CC BY-SA

POODLE

Kekutanga nezvekurwisa POODLE yakazivikanwa muna 2014. Kusagadzikana muSSL 3.0 protocol kwakawanikwa nenyanzvi yezvekuchengetedza ruzivo Bodo MΓΆller nevamwe vekuGoogle.

Chimiro chayo ndeichi: hacker inomanikidza mutengi kuti abatanidze kuburikidza neSSL 3.0, emulating yekubatanidza mabreak. Inobva yatsvaga mune yakavanzika CBC-traffic mode yakakosha tag meseji. Achishandisa zvakatevedzana zvikumbiro zvekunyepedzera, munhu anorwisa anokwanisa kugadzira patsva zviri mukati medata rekufarira, senge makuki.

SSL 3.0 iprotocol yechinyakare. Asi mubvunzo wekuchengeteka kwake uchiri kushanda. Vatengi vanoishandisa kudzivirira nyaya dzekuenderana nemaseva. Maererano nedzimwe dhata, inenge 7% ye100 zviuru zvakakurumbira nzvimbo vachiri kutsigira SSL 3.0. Zvakare zviripo kugadziridzwa kuPOODLE kunonangana neazvino TLS 1.0 uye TLS 1.1. Gore rino akaonekwa itsva Zombie POODLE uye GOLDENDOODLE kurwiswa kunodarika TLS 1.2 kudzivirira (ichiri kubatanidzwa neCBC encryption).

Nzira yekuzvidzivirira nayo. Panyaya yePOODLE yekutanga, unofanirwa kudzima SSL 3.0 rutsigiro. Zvisinei, munyaya iyi kune ngozi yezvinetso zvekuenderana. Imwe mhinduro inogona kunge iri TLS_FALLBACK_SCSV mashandiro - inoita kuti kuchinjana kwedata kuburikidza neSSL 3.0 kuitwe chete nemasisitimu ekare. Vanorwisa havachakwanisa kutanga kudzikisa pasi. Nzira yekudzivirira kubva kuZombie POODLE neGOLDENDOODLE ndeyekudzima rutsigiro rweCBC muTLS 1.2-based application. Iyo cardinal solution ichava shanduko kuTLS 1.3 - iyo itsva vhezheni yeprotocol haishandisi CBC encryption. Pane kudaro, akasimba AES uye ChaCha20 anoshandiswa.

CHIKARA

Imwe yekutanga kurwiswa kweSSL neTLS 1.0, yakawanikwa muna 2011. Sezvakaita POODLE, BEAST anoshandisa maitiro eCBC encryption. Vapambi vanoisa JavaScript mumiririri kana Java applet pamushini wevatengi, inotsiva meseji kana ichitumira data pamusoro peTLS kana SSL. Sezvo vanorwisa vachiziva zviri mukati me "dummy" mapaketi, vanogona kuashandisa kutsikisa iyo yekutanga vector uye kuverenga mamwe mameseji kune sevha, senge echokwadi makuki.

Kubva nhasi, kushaya simba kweBEAST kuchiripo akati wandei maturusi etiweki anotapukira: Masevha eproxy uye maapplication ekuchengetedza emuno Internet magedhi.

Nzira yekuzvidzivirira nayo. Anorwisa anofanirwa kutumira zvikumbiro zvenguva dzose kuti abvise data. MuVMware kurudzira kuderedza nguva yeSSLSessionCacheTimeout kubva pamaminetsi mashanu (default kurudziro) kusvika kumasekonzi makumi matatu. Iyi nzira ichaita kuti zvinyanye kunetsa kune vanorwisa kuita zvirongwa zvavo, kunyangwe zvichizove nemhedzisiro yakaipa pakuita. Uye zvakare, iwe unofanirwa kunzwisisa kuti iyo BEAST kusagadzikana inogona kukurumidza kuve chinhu chekare pachayo - kubvira 30, iwo makuru mabhurawuza. stop rutsigiro rweTLS 1.0 uye 1.1. Chero zvazvingava, isingasviki 1,5% yevashandisi vese vebrowser vanoshanda nemaprotocol aya.

NYORA

Uku kurwiswa kwemuchinjikwa-protocol kunoshandisa tsikidzi mukuitwa kweSSLv2 ine 40-bit RSA makiyi. Anorwisa anoteerera kumazana eTLS yekubatanidza kwechinangwa uye anotumira akakosha mapaketi kune SSLv2 sevha uchishandisa imwechete yakavanzika kiyi. Kushandisa Bleichenbacher kurwisa, mubhadhadzi anogona decrypt imwe yeanenge chiuru mutengi TLS masesheni.

DROWN yakatanga kuzivikanwa muna 2016 - zvakabva zvaita chikamu chimwe muzvitatu chemaseva chinokanganiswa munyika. Nhasi haina kurasikirwa nekukosha kwayo. Pakati pe150 zviuru zvemasayiti anozivikanwa, 2% achiripo tsigiro SSLv2 uye asina njodzi encryption maitiro.

Nzira yekuzvidzivirira nayo. Izvo zvinodikanwa kuisa zvigamba zvakatsanangurwa nevagadziri vekriptographic library iyo inodzima SSLv2 rutsigiro. Semuenzaniso, maviri mapeche akadaro akaunzwa kuOpenSSL (muna 2016 aya aive maupdates 1.0.1s uye 1.0.2g). Zvakare, zvigadziriso uye mirairo yekudzima iyo isina njodzi protocol yakaburitswa mukati Red Hat, Apache, Debian.

"Chishandiso chinogona kuve panjodzi yekuDOWN kana makiyi ayo akashandiswa neyechitatu-bato server ine SSLv2, senge mail server," anodaro mukuru wedhipatimendi rebudiriro. IaaS mubatsiri 1cloud.ru Sergei Belkin. - Mamiriro ezvinhu aya anoitika kana maseva akati wandei akashandisa zvakajairika SSL chitupa. Muchiitiko ichi, unofanirwa kudzima SSLv2 rutsigiro pamakina ese."

Unogona kutarisa kana system yako inoda kuvandudzwa uchishandisa yakakosha zvinoshandiswa - Yakagadzirwa nenyanzvi dzekuchengetedza ruzivo dzakawana DROWN. Iwe unogona kuverenga zvakawanda nezve kurudziro ine chekuita nekudzivirirwa kubva kurudzi urwu rwekurwisa mukati post pane iyo OpenSSL webhusaiti.

Kushungurudzika

Imwe yekusagadzikana kukuru mune software ndeye Kushungurudzika. Yakawanikwa muna 2014 muraibhurari yeOpenSSL. Panguva yekuziviswa kwebug, huwandu hwemawebhusaiti anotambura yaifungidzirwa kuva hafu yemiriyoni - iyi inenge 17% yezviwanikwa zvakachengetedzwa pane network.

Kurwiswa kunoitwa kuburikidza nediki Heartbeat TLS yekuwedzera module. Iyo TLS protocol inoda kuti data rirambe richifambiswa. Mukana yenguva yekudzikira kwenguva refu, kuzorora kunoitika uye kubatana kunofanirwa kugadzwa zvakare. Kutarisana nedambudziko, maseva uye vatengi vanogadzira "ruzha" chiteshi (RFC 6520, p.5), kutumira pakiti yehurefu hwakangoerekana hwavapo. Dai yaive yakakura kupfuura yese packet, saka vhezheni dzisina njodzi dzeOpenSSL verenga ndangariro kupfuura iyo yakagoverwa buffer. Nzvimbo iyi inogona kunge iine chero data, kusanganisira yakavanzika makiyi uye ruzivo nezve mamwe ma connections.

Kusagadzikana kwaivepo mune ese mavhezheni eraibhurari pakati pe1.0.1 uye 1.0.1f inosanganisirwa, pamwe neakawanda ekushandisa masisitimu - Ubuntu kusvika 12.04.4, CentOS yakakura kupfuura 6.5, OpenBSD 5.3 nevamwe. Pane runyoro rwakakwana pane webhusaiti yakatsaurirwa kuna Heartbleed. Kunyangwe zvigamba zvinopesana nekusagadzikana uku zvakaburitswa nguva pfupi mushure mekuwanikwa kwayo, dambudziko rinoramba rakakosha nanhasi. Kudzoka muna 2017 anenge 200 zviuru nzvimbo dzakashanda, anobatwa neHeartbleed.

Nzira yekuzvidzivirira nayo. Zvakakosha gadziridza OpenSSL kusvika kushanduro 1.0.1g kana kupfuura. Unogona kudzima zvikumbiro zveMoyo nemaoko uchishandisa iyo DOPensSL_NO_HEARTBEATS sarudzo. Mushure mekuvandudzwa, ruzivo rwekuchengetedza ruzivo kurudzira buritsa zvitupa zveSSL. Kutsiva kunodiwa kana iyo data iri pamakiyi ekuvharidzira yapera mumaoko evabiki.

Chitupa chinotsiva

Node yakachengetedzwa ine chitupa cheSSL chepamutemo inoiswa pakati pemushandisi neseva, ichishingairira kubata traffic. Iyi node inotevedzera sevha yepamutemo nekupa chitupa chakakodzera, uye zvinoita kuti uite kurwisa kweMITM.

Maererano ne research Zvikwata kubva kuMozilla, Google uye akati wandei emayunivhesiti, angangoita 11% yeakachengeteka ekubatanidza panetiweki anoteererwa. Izvi ndizvo mhedzisiro yekuisa zvinofungira midzi zvitupa pamakomputa evashandisi.

Nzira yekuzvidzivirira nayo. Shandisa mabasa akavimbika SSL vanopa. Unogona kutarisa "mhando" yezvitupa uchishandisa sevhisi Certificate Transparency (CT). Cloud providers vanogonawo kubatsira nekuona eavesdropping; mamwe makambani makuru anotopa maturusi ane hunyanzvi ekutarisa TLS kubatana.

Imwe nzira yekudzivirira ichava itsva muyero ACME, iyo inogadzirisa kugashira kweSSL zvitupa. Panguva imwecheteyo, ichawedzera mamwe maitiro ekuona muridzi wesaiti. Zvimwe pamusoro pazvo takanyora mune chimwe chezvinyorwa zvedu zvekare.

Zvinogona kurwisa HTTPS uye maitiro ekudzivirira kubva kwavari
/flickr/ Yuri Samoilov / CC BY

Tarisiro yeHTTPS

Pasinei nekuwanda kwekusagadzikana, hofori dzeIT uye nyanzvi dzekuchengetedza ruzivo vane chivimbo mune ramangwana reprotocol. Zvekuita kushanda kweHTTPS vatsigiri Mugadziri weWWW Tim Berners-Lee. Maererano naye, nekufamba kwenguva TLS ichave yakachengeteka zvakanyanya, iyo ichavandudza zvakanyanya kuchengetedzwa kwekubatana. Berners-Lee akatokurudzira izvozvo ichaonekwa mune ramangwana zvitupa zveclient kuti zvizivikanwe. Ivo vachabatsira kuvandudza server kuchengetedza kubva kune vanorwisa.

Izvo zvakare zvakarongwa kuvandudza tekinoroji yeSSL/TLS uchishandisa muchina kudzidza - smart algorithms ichave nebasa rekusefa yakaipa traffic. Nekubatanidza kweHTTPS, vatariri havana nzira yekuziva zviri mukati memeseji yakavharidzirwa, kusanganisira yekuona zvikumbiro kubva kune malware. Nanhasi, neural network inokwanisa kusefa mapaketi angangove nengozi ne90% chokwadi. (mharidzo slide 23).

zvakawanikwa

Kurwiswa kwakawanda paHTTPS hakunei nezvinetso neprotocol pachayo, asi kutsigira maitiro echinyakare encryption. Indasitiri yeIT iri kutanga kusiya zvishoma nezvishoma mapuroteni echizvarwa chakapfuura uye kupa zvishandiso zvitsva zvekutsvaga kusashanda. Mune ramangwana, zvishandiso izvi zvichawedzera kungwara.

Zvimwe zvinongedzo pamusoro wenyaya:

Source: www.habr.com

Voeg