Mozilla Company nezve kutanga kwekuyedzwa mukuvaka kwehusiku kweFirefox nzira nyowani yekuona zvitupa zvakabviswa - . CRLite inokutendera iwe kuronga inoshanda chitupa kudzoserwa kwekutarisa uchipokana nedhatabhesi inobatwa pane yemushandisi sisitimu. Mozilla's CRLite kuita pasi peyemahara MPL 2.0 rezinesi. Iyo kodhi yekugadzira dhatabhesi uye sevha zvikamu zvakanyorwa mukati uye Go. Zvikamu zvemutengi zvakawedzerwa kuFirefox yekuverenga data kubva kudhatabhesi mumutauro weRust.
Chitupa chekuongorora uchishandisa ekunze masevhisi zvichienderana neprotocol ichiri kushandiswa (Online Certificate Status Protocol) inoda kuvimbiswa kuwanikwa kwetiweki, inotungamira kunonoka kukuru mukukumbira kugadzirisa (350ms paavhareji) uye ine matambudziko nekuona zvakavanzika (maseva eOCSP anopindura zvikumbiro anogamuchira ruzivo nezve zvitupa zvakati, izvo zvinogona kushandiswa kutonga kuti chii. nzvimbo dzinovhurwa nemushandisi). Pane zvakare mukana wekutarisa wemuno uchipesana nemazita (Sitifiketi Revocation Rondedzero), asi iyo yakashata yeiyi nzira yakakura kwazvo saizi yedhata yakatorwa - parizvino dhatabhesi rezvitupa zvakabviswa rinogara 300 MB uye kukura kwayo kunoenderera.
Kuvharisa zvitupa zvakakanganisika uye kubviswa nevakuru vezvitupa, Firefox yakashandisa runyoro rwepakati kubva 2015. pamwe chete nekufona kwesevhisi kuziva zvinogona kuita zvakaipa. OneCRL, senge muChrome, inoshanda senge chinongedzo chepakati chinounganidza CRL rondedzero kubva kune zvitupa zvitupa uye inopa imwechete yepakati OCSP sevhisi yekutarisa zvitupa zvakabviswa, zvichiita kuti zvikwanise kusatumira zvikumbiro zvakananga kune zvitupa zvitupa. Zvisinei nebasa rakawanda rekuvandudza kuvimbika kwesevhisi yekusimbisa zvitupa pamhepo, data retelemetry rinoratidza kuti inodarika 7% yeOCSP inokumbira nguva yekubuda (makore mashoma apfuura iyi nhamba yaive gumi nemashanu%).
Nekumisikidza, kana zvisingaite kuratidza kuburikidza neOCSP, bhurawuza rinoona chitupa chinoshanda. Iyo sevhisi inogona kunge isingawanikwe nekuda kwezvinetso zvenetiweki uye zvirambidzo pamanetiweki emukati, kana kuvharwa nevanorwisa - kunzvenga cheki yeOCSP panguva yekurwiswa kweMITM, kungovhara kupinda kune cheki sevhisi. Muchidimbu kudzivirira kurwiswa kwakadaro, nzira yakashandiswa , iyo inokutendera kuti utore kukanganisa kweOCSP yekuwana kana kusawanikwa kweOCSP sedambudziko nechitupa, asi chimiro ichi ndechekusarudza uye chinoda kunyoreswa kwakakosha kwechitupa.
CRLite inokutendera kuti ubatanidze ruzivo rwakakwana nezvese zvitupa zvakabviswa muchimiro chakagadziridzwa, chete 1 MB muhukuru, izvo zvinoita kuti zvikwanise kuchengetedza yakazara CRL dhatabhesi padivi revatengi.
Iyo bhurawuza ichakwanisa kuwiriranisa kopi yayo yedata nezve zvakabviswa zvitupa zuva nezuva, uye iyi dhatabhesi ichave iripo mune chero mamiriro.
CRLite inosanganisa ruzivo kubva , gwaro reruzhinji rezvitupa zvese zvakaburitswa uye zvakabviswa, uye mhedzisiro yekuongorora zvitupa paInternet (yakasiyana CRL rondedzero yezviremera zvitupa inounganidzwa uye ruzivo nezve zvese zvinozivikanwa zvitupa zvakaunganidzwa). Data inoputirwa uchishandisa cascading , chimiro che probabilistic chinobvumira kuonekwa kwenhema kwechimwe chinhu chisipo, asi chisingabatanidzi kusiiwa kwechimwe chinhu chiripo (kureva, neimwe mukana, nhema dzechitupa chechokwadi zvinogoneka, asi zvitupa zvakabviswa zvinovimbiswa kuzivikanwa).
Kubvisa manyepo enhema, CRLite yakaunza mamwe ekugadzirisa mafirita mazinga. Mushure mekugadzira chimiro, zvese zvinyorwa zvinyorwa zvinotsvaga uye chero nhema dzenhema dzinozivikanwa. Zvichienderana nemhedzisiro yecheki iyi, imwezve chimiro inogadzirwa, iyo inokandwa pane yekutanga uye inogadzirisa zvinokonzeresa zvenhema. Kuvhiyiwa kunodzokororwa kusvikira zviratidzo zvenhema panguva yekuongorora cheki zvakabviswa zvachose. Kazhinji, kugadzira 7-10 mitsara inokwana kuvhara zvachose data rese. Sezvo mamiriro edhatabhesi, nekuda kwekuwiriranisa nguva nenguva, inosara zvishoma kuseri kweiyo CRL mamiriro, kutarisa zvitupa zvitsva zvakaburitswa mushure mekuvandudzwa kwekupedzisira kweCRLIte dhatabhesi kunoitwa pachishandiswa OCSP protocol, kusanganisira kushandisa (mhinduro yeOCSP yakasimbiswa nechiremera chechitupa inofambiswa nesevha inoshandira saiti kana ichitaurirana nezve TLS yekubatanidza).
Uchishandisa mafirita eBloom, chikamu chaDecember cheruzivo kubva kuWebPKI, chinovhara mamirioni zana anoshanda zvitupa uye zviuru mazana manomwe nemakumi mashanu zvitupa zvakadzorwa, zvakakwanisa kurongedzerwa muchimiro che 100 MB muhukuru. Iyo dhizaini yekugadzira maitiro yakanyanya-yakawanda-yakawanda, asi inoitwa paMozilla server uye mushandisi anopihwa yakagadzirira-yakagadziridzwa update. Semuenzaniso, mune yebhinari fomu, iyo sosi data inoshandiswa panguva yechizvarwa inoda inenge gumi nematanhatu GB yendangariro kana yachengetwa muRedis DBMS, uye mune hexadecimal fomu, kuraswa kwese serial nhamba dzechitupa kunotora anenge 750 GB. Maitiro ekuunganidza ese akabviswa uye anoshanda zvitupa anotora anenge maminetsi makumi mana, uye maitiro ekugadzira akaputirwa chimiro akavakirwa paBloom sefa anotora mamwe maminetsi makumi maviri.
Mozilla parizvino inova nechokwadi chekuti CRLite dhatabhesi inovandudzwa kana pazuva (kwete zvese zvinogadziridzwa zvinounzwa kune vatengi). Chizvarwa che delta inogadziridza haisati yaitwa - kushandiswa kwe bsdiff4, inoshandiswa kugadzira delta zvigadziriso zvekuburitswa, haipe kunyatsoshanda kweCRLIte uye zvigadziriso zvakakura zvisingaite. Kuti ubvise iyi dhizaini, zvakarongwa kugadzirisazve chimiro chechimiro chekuchengetedza kubvisa kusingakoshi kuvakazve uye kubviswa kwezvikamu.
CRLite parizvino inoshanda muFirefox mune passive mode uye inoshandiswa mukufambirana neOCSP kuunganidza nhamba nezvekushanda chaiko. CRLite inogona kuchinjirwa kuita main scan mode; kuti uite izvi, unofanirwa kuseta parameter security.pki.crlite_mode = 2 in about:config.
Source: opennet.ru