Sebtembar 30-keedii 17:01 wakhtiga Moscow, shahaadada xididka IdenTrust (DST Root CA X3), oo loo adeegsaday in lagu saxeexo shahaadada asaasiga ah ee hay'adda shahaado-siinta Aynu Encryption (ISRG Root X1), oo ay maamusho bulshada iyo waxay siisaa shahaadooyin bilaash ah qof walba, wuu dhacaa. Saxeexa iskutallaabtu waxa ay xaqiijisay in aynu sir qaadno shahaadooyinka lagu aaminay dhamaan agabyo kala duwan, nidaamyada hawlgalka, iyo daalacashada halka Aynu sir qaadno shahaadadeeda xididka ah ee lagu dhex daray dukaamada shahaadaynta xididka.
Waxaa markii hore la qorsheeyay in ka dib markii laga saaray DST Root CA X3, mashruuca Aynu Encrypt u beddelo si ay u abuuraan saxiixyada isticmaalaya kaliya shahaado xididka, laakiin tallaabada noocan oo kale ah waxay keeni doontaa in ay lumiyaan la jaanqaadka tiro badan oo ka mid ah nidaamyada da'da ah oo aan samayn. ku dar shahaadada xididka Aynu sirino goobahooda Gaar ahaan, ku dhawaad 30% aaladaha Android ee la isticmaalo ma hayaan xog ku saabsan Aan Encrypt shahaado xididka, taageerada taas oo u muuqatay oo kaliya ka bilaabmaysa madal Android 7.1.1, oo la sii daayay dhamaadka 2016.
Aynu Encrypt ma qorsheynay inaan galno heshiis cusub oo saxeex ah, maadaama tani ay ku soo rogayso mas'uuliyad dheeraad ah dhinacyada heshiiska, ka saaraya madax-bannaanida iyo xidhidhga gacmahooda marka la eego u hoggaansanaanta dhammaan hababka iyo xeerarka hay'ad kale oo shahaado ah. Laakiin sababo la xiriira dhibaatooyin ka iman kara tiro badan oo aaladaha Android ah, qorshaha ayaa dib loo eegay. Heshiis cusub ayaa lagu soo gabagabeeyay maamulka shahaadada IdenTrust, kaas oo ku dhex jira qaab dhismeedka kaas oo la sameeyay shahaado dhexe oo kala duwan oo la kala saxeexday Aynu sirinno. Saxiixa iskutallaabtu wuxuu shaqayn doonaa saddex sano wuxuuna sii wadi doonaa taageerada aaladaha Android ee ka bilaabmaya nooca 2.3.6.
Si kastaba ha ahaatee, shahaadada dhexe ee cusub ma daboolayso habab kale oo dhaxal gal ah. Tusaale ahaan, marka shahaadada DST Root CA X3 ay ka dhacayso Sebtembar 30, Aynu Encrypt shahaadooyinka mar dambe laga aqbali doonin firmware-ka aan la taageerin iyo nidaamyada hawlgalka ee u baahan in gacanta lagu daro shahaadada ISRG Root X1 ee dukaanka shahaadada xididka si loo hubiyo kalsoonida Aan sir qaadno shahaadooyinka . Dhibaatooyinku waxay isku muujin doonaan:
- OpenSSL ilaa laan 1.0.2 loo dhan yahay ( dayactirka laanta 1.0.2 waa la joojiyay Diisambar 2019);
- NSS <3.26;
- Java 8 <8u141, Java 7 <7u151;
- Daaqadaha <XP SP3;
- macOS <10.12.1;
- IOS <10 (iPhone <5);
- Android <2.3.6;
- Mozilla Firefox <50;
- Ubuntu <16.04;
- Debian <8.
Marka laga hadlayo OpenSSL 1.0.2, dhibaatadu waxa sababa bug ka hortagaysa in shahaadooyinka la saxeexay si sax ah loo farsameeyo haddii mid ka mid ah shahaadooyinka xididka loo isticmaalo saxeexa uu dhaco, xitaa haddii ay jiraan silsilado kale oo aamin ah oo ansax ah. Dhibaatadu markii ugu horeysay waxay soo shaacbaxday sanadkii hore ka dib markii shahaadada AddTrust loo isticmaalay in lagu saxiixo shahaadooyinka maamulka shahaadada Sectigo (Comodo) ay noqotay mid duugowday. Mashruucii dhibku waa in OpenSSL ay u kala soocday shahaadada sidii silsilad toosan, halka marka loo eego RFC 4158, shahaadodu ay matali karto garaaf wareeg ah oo la agaasimay oo leh barroosinno badan oo aamin ah oo u baahan in xisaabta lagu daro.
Isticmaalayaasha qaybinta duugga ah ee ku salaysan OpenSSL 1.0.2 waxa la siiyaa saddex habab si loo xalliyo dhibaatada:
- Si gacanta looga saaray shahaadada xididka IdenTrust DST Root CA X3 oo lagu rakibay shahaado xididka ISRG-ka ah (aan la saxeexin) ISRG Root X1
- Markaad wado openssl verify iyo s_client amarada, waxaad qeexi kartaa "--trusted_first" doorashada.
- U isticmaal server-ka shahaado ay siisay shahaado xidid gaar ah SRG Root X1, kaas oo aan lahayn saxeex-is-dhaafsi. Habkani wuxuu u horseedi doonaa luminta ku-habboonaanta macaamiisha Android ka weyn.
Intaa waxaa dheer, waxaan ogaan karnaa in mashruuca Aan Encrypt uu ka soo gudbay heerka ugu sarreeya ee laba bilyan oo shahaadooyin la soo saaray. Hal bilyan oo tallaabo ayaa la gaarey bishii Febraayo ee sannadkii hore. 2.2-2.4 milyan oo shahaadooyin cusub ayaa la soo saaraa maalin kasta. Tirada shahaadooyinka firfircooni waa 192 milyan (shahaadadu waxay shaqaynaysaa saddex bilood) waxayna daboolaysaa ilaa 260 milyan domains (195 milyan oo domains ayaa la daboolay sanad ka hor, 150 milyan laba sano ka hor, 60 milyan saddex sano ka hor). Marka loo eego tirakoobyada adeegga Telemetry Firefox, saamiga caalamiga ah ee codsiyada bogga HTTPS waa 82% (sanad ka hor - 81%, laba sano ka hor - 77%, saddex sano ka hor - 69%, afar sano ka hor - 58%).
Source: opennet.ru