Mozilla yakazivisa kuisirwa kwerutsigiro rwevashandisi vebazi rakagadzikana reFirefox yeECH (Encrypted Client Hello) meshini, inoenderera mberi nekuvandudzwa kweESNI (Encrypted Server Name Indication) tekinoroji uye yakagadzirirwa kuvharidzira ruzivo nezve maparamendi ezvikamu zveTLS. , sezita rakumbirwa renzvimbo. Kodhi yekushanda neECH yakatanga kuwedzerwa kuFirefox 85 kuburitswa, asi yakavharwa nekusarudzika. Chrome zvishoma nezvishoma yakatanga kusanganisira ECH rutsigiro kutanga nekuburitswa kweChrome 115.
Sezvo pamusoro pekubatana ne server Ruzivo rwedomeni rwunokumbirwa rwunoburitswa kuburikidza neDNS. Kuti udzivirirwe zvizere, pamusoro peECH, unofanirwa kushandisa DNS pamusoro peHTTPS kana DNS pamusoro peTLS kuti uvhare traffic yeDNS. Firefox haizoshandisi ECH isina kugonesa DNS pamusoro peHTTPS mumasetingi. Unogona kutarisa rutsigiro rweECH mubrowser yako pane ino peji.
Chimwe chezvikonzero zvakagonesa ECH kutsigirwa nekusarudzika muFirefox yaive Cloudflare yekuisirwa ECH rutsigiro mune yayo yekutumira yemukati network mazuva mashoma apfuura. Padivi rinoshanda, sezvo dhata pamusoro pevakakumbirwa mauto kana uchishandisa ECH yakavanzwa kubva pakuongorora, kusefa uye kuvharira zvisingadiwe nzvimbo uchishandisa Cloudflare CDN zvino zvinozoda kuvharira iyo Cloudflare network yese, kuvharira zvese zvikumbiro kubva kuECH, kana kuronga HTTPS kubatwa uchishandisa fake midzi zvitupa. pane user system.
Pakutanga, kuronga basa pane imwe kero yeIP yemasaiti akati wandei eHTTPS, iyo TLS yekuwedzera SNI yakashandiswa, umo zita remuenzi akakumbirwa rairatidzwa muClientHello meseji yakafambiswa isati yatanga nzira yekutaurirana yakavanzika. Ichi chimiro chakaita kuti zvikwanisike kugovera zvikumbiro kune vese vaenzi panguva yekutanga yekubatanidza kugadzirisa, asi zvakare yakaita kuti ikwanise kudivi reISP kusarudza kusarudza HTTPS traffic uye kuongorora kuti ndedzipi masaiti anovhurwa nemushandisi, ayo asina kubvumira kuwana kuvanzika kuzere kana uchishandisa. HTTPS.
Kugadzirisa dambudziko iri uye kudzivirira kuvuza kweruzivo nezve saiti yakakumbirwa, yekuwedzera yeESNI yakazopihwa iyo inoshandisa encryption yedata ine zita remuenzi. Panguva yekuitwa kweESNI, zvakaratidzwa kuti nzira yakatsanangurwa haivharise zvese zvingangoitika zvekuburitswa kwedata uye kushandiswa kwayo hakuna kukwana kuve nechokwadi chekuvanzika kwakazara kweHTTPS zvikamu. Kunyanya, kana uchitangazve musangano wakambotangwa, zita rezita mumagwaro akajeka rakaramba richitsanangurwa pakati pematanho ePSK (Pre-Shared Key) TLS yekuwedzera. Pamusoro pezvo, kuedza kuita ESNI kwakaratidza kuenderana uye kuyera zvinhu izvo zvakadzivirira kupararira kutorwa kweESNI.
Tichifunga nezvekukanganisa kwakaonekwa kweESNI, imwe itsva yepasirese ECH michina yakagadziridzwa inobvumira encryption yeparamita yechero TLS extensions. Nehunyanzvi, musiyano mukuru pakati peECH neESNI ndewekuti pachinzvimbo cheminda yega yega, iyo yese ClientHello meseji yakavharirwa kamwechete. ECH inosanganisira kupatsanura ClientHello kuita mameseji maviri akapatsanurwa - iyo yakavanzika ClientHelloInner meseji (SNI Inner) uye isina kunyorwa pasi peClientHelloOuter meseji (SNI Outer). SNI Outer isina kuvharirwa inotakura data risiri rekuvanzika senge TLS vhezheni uye runyoro rwemaciphers anoshandiswa, pamwe neakajairika zita rezita risingapindirane nezita chairo renzvimbo yakakumbirwa. Semuenzaniso, kune vese Cloudflare vatengi, iyo isina kuvharirwa SNI Outer inotsanangura iyo yakajairwa host "cloudflare-ech.com", asi iro zita chairo reakakumbirwa mugamuchiri rinofambiswa mune yakavharidzirwa SNI Inner uye haisi kuwanikwa kuti iongororwe.
ECH inoshandisawo nzira yakasiyana yekuparadzira makiyi ekuvhara: ruzivo rwemakiyi eruzhinji runotumirwa mumarekodhi eHTTPSSVC DNS kwete mumarekodhi eTXT. Kuvharidzira kwekupedzisira-kusvika-kumagumo kwakavakirwa paHPKE (Hybrid Public Key Encryption) kunoshandiswa kuwana nekuvharidzira kiyi. ECH inotsigirawo kudzoserwa kwekiyi yakachengeteka kubva kuseva, iyo inogona kushandiswa kana kiyi ikatenderedzwa. server uye kugadzirisa matambudziko ekutora makiyi ekare kubva kuDNS cache.
Source: opennet.ru
