Musi waGunyana 30 na17:01 nguva yeMoscow, iyo IdenTrust midzi chitupa (DST Root CA X3), iyo yakashandiswa kuyambuka-kusaina midzi chitupa cheLet Encrypt certification authority (ISRG Root X1), iyo inodzorwa nenharaunda uye. inopa zvitupa mahara kumunhu wese, inopera. Kusaina-kusaina kwakave nechokwadi chekuti Let's Encrypt zvitupa zvakavimbwa pane akasiyana siyana emidziyo, masisitimu anoshanda, uye mabhurawuza ukuwo Let's Encrypt's own root certificate yakabatanidzwa muzvitoro zvezvitupa.
Zvakanga zvakarongwa pakutanga kuti mushure mekudzingwa kweDST Root CA X3, iyo Let's Encrypt project yaizochinja kugadzira masiginecha ichishandisa chitupa chayo chete, asi danho rakadaro raizokonzera kurasikirwa kwekuenderana nenhamba huru yemasisitimu ekare asina. wedzera iyo Let's Encrypt root certificate kune avo repositories. Kunyanya, ingangoita 30% yemidziyo yeAroid iri kushandiswa haina data paLet Encrypt root certificate, tsigiro yaingoonekwa kutanga neiyo Android 7.1.1 papuratifomu, yakaburitswa mukupera kwa2016.
Let's Encrypt haana kuronga kupinda muchibvumirano chitsva-chakasaina, sezvo izvi zvichiisa mutoro wakawedzerwa kumapato echibvumirano, anovanyima rusununguko uye anosunga maoko avo maererano nekutevedzera maitiro ese nemitemo yeimwe chiremera chetifiketi. Asi nekuda kwematambudziko anogona kuitika pahuwandu hukuru hwemidziyo yeAroid, chirongwa chakagadziridzwa. Chibvumirano chitsva chakapedzwa nechiremera cheIdenTrust certification, mukati meiyo imwe nzira yakasainwa Let's Encrypt yepakati chitupa yakagadzirwa. Muchinjikwa-siginicha ichashanda kwemakore matatu uye ichachengetedza rutsigiro rwemidziyo yeAroid kutanga neshanduro 2.3.6.
Nekudaro, iyo nyowani yepakati setifiketi haifukidze mamwe akawanda enhaka masisitimu. Semuyenzaniso, kana chitupa cheDST Root CA X3 chadzikira munaGunyana 30, Let's Encrypt zvitupa hazvichagamuchirwi pane isingatsigirwe firmware uye masisitimu anoshanda anoda kuwedzera nemaoko ISRG Root X1 chitupa kuchitoro chezvitupa kuti tive nechokwadi chekuvimba neLet Encrypt zvitupa. . Matambudziko achazviratidza mu:
- OpenSSL kusvika kubazi 1.0.2 inosanganisirwa (kugadziriswa kwebazi 1.0.2 kwakamiswa muna Zvita 2019);
- NSS <3.26;
- Java 8 < 8u141, Java 7 < 7u151;
- Windows <XP SP3;
- macOS <10.12.1;
- iOS <10 (iPhone <5);
- Android <2.3.6;
- Mozilla Firefox <50;
- Ubuntu <16.04;
- Debian <8.
Panyaya yeOpenSSL 1.0.2, dambudziko rinokonzerwa nebug inodzivirira zvitupa zvakasaina kuti zvigadziriswe nemazvo kana imwe yemidzi zvitupa inoshandiswa kusaina ichipera, kunyangwe mamwe cheni dzekuvimbika dzakasara. Dambudziko rakatanga kuitika gore rapfuura mushure mekunge chitupa cheAddTrust chakashandiswa kuyambuka-kusaina zvitupa kubva kuSectigo (Comodo) certification chiremera chapera. Chikuru chedambudziko ndechekuti OpenSSL yakakamura chitupa sengetani yemutsara, nepo maererano neRFC 4158, chitupa chinogona kumiririra girafu rakafambiswa rakatenderedzwa rine maanchor akawanda ekuvimba anoda kuverengerwa.
Vashandisi vekugovera kwekare kwakavakirwa paOpenSSL 1.0.2 vanopihwa matatu ekugadzirisa dambudziko:
- Nemaoko akabvisa IdenTrust DST Root CA X3 midzi chitupa uye akaisa yakamira-yega (isina kuyambuka-yakasaina) ISRG Root X1 midzi chitupa.
- Paunenge uchimhanyisa openssl verify uye s_client mirairo, unogona kutsanangura iyo "-trusted_first" sarudzo.
- Shandisa pane sevha chitupa chakasimbiswa neyakasiyana midzi chitupa SRG Root X1, iyo isina muchinjiko-siginicha. Iyi nzira inotungamira mukurasikirwa kwekuenderana nevakura Android vatengi.
Pamusoro pezvo, isu tinogona kuona kuti Let's Encrypt project yakakunda chiitiko chemabhiriyoni maviri akagadzirwa zvitupa. bhiriyoni imwe yenhanho yakasvikwa muna Kukadzi gore rapfuura. 2.2-2.4 miriyoni zvitupa zvitsva zvinogadzirwa zuva nezuva. Huwandu hwezvitupa zvinoshanda i192 miriyoni (chitupa chinoshanda kwemwedzi mitatu) uye chinovhara anenge 260 miriyoni domains (195 miriyoni domains akafukidzwa gore rapfuura, 150 miriyoni makore maviri apfuura, 60 miriyoni makore matatu apfuura). Zvinoenderana nenhamba kubva kuFirefox Telemetry sevhisi, chikamu chepasi rose chezvikumbiro zvepeji kuburikidza neHTTPS i82% (gore rapfuura - 81%, makore maviri apfuura - 77%, makore matatu apfuura - 69%, makore mana apfuura - 58%).
Source: opennet.ru