Sebtembar 30-keedii 17:01 wakhtiga Moscow, shahaadada xididka IdenTrust (DST Root CA X3), oo loo adeegsaday in lagu saxeexo shahaadada asaasiga ah ee hay'adda shahaado-siinta Aynu Encryption (ISRG Root X1), oo ay maamusho bulshada iyo waxay siisaa shahaadooyin bilaash ah qof walba, wuu dhacaa. Saxeexa iskutallaabtu waxa ay xaqiijisay in aynu sir qaadno shahaadooyinka lagu aaminay dhamaan agabyo kala duwan, nidaamyada hawlgalka, iyo daalacashada halka Aynu sir qaadno shahaadadeeda xididka ah ee lagu dhex daray dukaamada shahaadaynta xididka.
Markii hore waxaa la qorsheeyay in ka dib marka la joojiyo DST Root CA X3, mashruuca Let's Encrypt uu u wareego sameynta saxiixyo isagoo isticmaalaya oo keliya shahaadada xididkiisa, laakiin tallaabada noocaas ah waxay keeni lahayd lumitaanka iswaafajinta tiro badan oo nidaamyo dhaxalgal ah oo aan ku darin shahaadada xididka ee Let's Encrypt kaydkooda. Gaar ahaan, qiyaastii 30% kuwa la isticmaalayo Android- aaladuhu ma haystaan xog ku saabsan shahaadada xididka ee Aan Encrypt, taageeradaas oo u muuqatay inay ka bilaabato oo keliya madal Android 7.1.1, oo la sii daayay dabayaaqadii 2016.
Aan Encrypt qorsheyneynin inay galaan heshiis cusub oo isdhaafsi ah, maadaama uu mas'uuliyad dheeraad ah saarayo dhinacyada heshiiska galay, uu ka qaadayo madax-bannaanidooda, isla markaana uu gacmahooda ku xirayo marka la eego u hoggaansanaanta dhammaan habraacyada iyo qawaaniinta hay'ad kale oo shahaado haysta. Si kastaba ha ahaatee, dhibaatooyin ka iman kara tiro badan oo AndroidQorshaha qalabka ayaa dib loo eegay. Heshiis cusub ayaa lala saxiixday hay'adda shahaadada IdenTrust, kaas oo lagu sameeyay shahaado kale oo dhexdhexaad ah oo Let's Encrypt ah. Saxiixa isdhaafka ah wuxuu ansax noqon doonaa muddo saddex sano ah wuxuuna u oggolaan doonaa taageerada qalabka oo sii socota. Android, oo ka bilaabmaysa nooca 2.3.6.
Si kastaba ha ahaatee, shahaadada dhexe ee cusub ma daboolayso habab kale oo dhaxal gal ah. Tusaale ahaan, marka shahaadada DST Root CA X3 ay ka dhacayso Sebtembar 30, Aynu Encrypt shahaadooyinka mar dambe laga aqbali doonin firmware-ka aan la taageerin iyo nidaamyada hawlgalka ee u baahan in gacanta lagu daro shahaadada ISRG Root X1 ee dukaanka shahaadada xididka si loo hubiyo kalsoonida Aan sir qaadno shahaadooyinka . Dhibaatooyinku waxay isku muujin doonaan:
- OpenSSL ilaa laan 1.0.2 loo dhan yahay ( dayactirka laanta 1.0.2 waa la joojiyay Diisambar 2019);
- NSS <3.26;
- Java 8 <8u141, Java 7 <7u151;
- Windows < XP SP3;
- macOS <10.12.1;
- iOS < 10 (iPhone <5);
- Android <2.3.6;
- Mozilla Firefox <50;
- Ubuntu <16.04;
- Debian <8.
Marka laga hadlayo OpenSSL 1.0.2, dhibaatadu waxa sababa bug ka hortagaysa in shahaadooyinka la saxeexay si sax ah loo farsameeyo haddii mid ka mid ah shahaadooyinka xididka loo isticmaalo saxeexa uu dhaco, xitaa haddii ay jiraan silsilado kale oo aamin ah oo ansax ah. Dhibaatadu markii ugu horeysay waxay soo shaacbaxday sanadkii hore ka dib markii shahaadada AddTrust loo isticmaalay in lagu saxiixo shahaadooyinka maamulka shahaadada Sectigo (Comodo) ay noqotay mid duugowday. Mashruucii dhibku waa in OpenSSL ay u kala soocday shahaadada sidii silsilad toosan, halka marka loo eego RFC 4158, shahaadodu ay matali karto garaaf wareeg ah oo la agaasimay oo leh barroosinno badan oo aamin ah oo u baahan in xisaabta lagu daro.
Isticmaalayaasha qaybinta duugga ah ee ku salaysan OpenSSL 1.0.2 waxa la siiyaa saddex habab si loo xalliyo dhibaatada:
- Si gacanta looga saaray shahaadada xididka IdenTrust DST Root CA X3 oo lagu rakibay shahaado xididka ISRG-ka ah (aan la saxeexin) ISRG Root X1
- Markaad wado openssl verify iyo s_client amarada, waxaad qeexi kartaa "--trusted_first" doorashada.
- Ku isticmaal server Shahaado lagu xaqiijiyay shahaadada xididka SRG Root X1 oo gooni ah oo aan la isku qorin. Habkani wuxuu keeni doonaa luminta iswaafajinta noocyadii hore. Android-macaamiisha.
Intaa waxaa dheer, mashruuca 'Let's Encrypt' wuxuu dhaafay heerka laba bilyan ee shahaadooyinka la soo saaray. Heerka hal bilyan ee la gaaray bishii Febraayo ee sannadkii hore. 2.2-2.4 milyan oo shahaadooyin cusub ah ayaa la soo saaraa maalin kasta. Tirada shahaadooyinka firfircoon waa 192 milyan (shahaadooyinka waxay ansax yihiin saddex bilood) waxayna daboolayaan qiyaastii 260 milyan. domain-yo (Sannad ka hor, 195 milyan oo domain ayaa la daboolay, laba sano ka hor - 150 milyan, saddex sano ka hor - 60 milyan). Sida laga soo xigtay tirakoobka adeegga Firefox Telemetry, saamiga caalamiga ah ee codsiyada bogga marka loo eego HTTPS waa 82% (sanad ka hor - 81%, laba sano ka hor - 77%, saddex sano ka hor - 69%, afar sano ka hor - 58%).
Source: opennet.ru
