Halofo ea libaka , ’me palo ea tsona e ntse e eketseha butle-butle. Protocol e fokotsa kotsi ea ho thibeloa ha sephethephethe, empa ha e felise liteko tsa litlhaselo joalo. Re tla bua ka tse ling tsa tsona - POODLE, BEAST, DROWN le tse ling - le mekhoa ea ts'ireletso litabeng tsa rona.
/flickr/ / CC BY-SA
LEHLOHONOLO
Lekhetlo la pele mabapi le tlhaselo e ile ea tsebahala ka 2014. Kotsi ho protocol ea SSL 3.0 e fumanoe ke setsebi sa ts'ireletso ea litaba Bodo Möller le basebetsi mmoho le Google.
Mohloli oa eona o tjena: mohatelli o qobella moreki hore a hokahane ka SSL 3.0, a etsisa likheo tsa khokahano. Ebe e batla ka har'a encrypted -mokhoa oa sephethephethe melaetsa e khethehileng ea li-tag. Ka ho sebelisa letoto la likopo tse qotsitsoeng, mohlaseli o khona ho theha bocha litaba tsa data tseo a li ratang, joalo ka li-cookies.
SSL 3.0 ke protocol ea khale. Empa taba ea polokeho ea hae e ntse e le ea bohlokoa. Bareki ba e sebelisa ho qoba mathata a ho lumellana le li-server. Ho ea ka lintlha tse ling, hoo e ka bang 7% ea libaka tse 100 tse tummeng ka ho fetisisa . Hape Liphetoho ho POODLE tse shebaneng le TLS 1.0 le TLS 1.1 ea sejoale-joale. Selemong sena litlhaselo tse ncha tsa Zombie POODLE le GOLDENDOODLE tse fetang ts'ireletso ea TLS 1.2 (li ntse li amahanngoa le CBC encryption).
Mokhoa oa ho itšireletsa. Tabeng ea POODLE ea mantlha, o hloka ho tima tšehetso ea SSL 3.0. Leha ho le joalo, tabeng ena ho na le kotsi ea mathata a ho lumellana. Tharollo e 'ngoe e ka ba mokhoa oa TLS_FALLBACK_SCSV - o netefatsa hore phapanyetsano ea data ka SSL 3.0 e tla etsoa feela ka litsamaiso tsa khale. Bahlaseli ba ke ke ba hlola ba khona ho qala ho theola liprothokholo. Mokhoa oa ho itšireletsa khahlanong le Zombie POODLE le GOLDENDOODLE ke ho tima tšehetso ea CBC lits'ebetsong tse thehiloeng ho TLS 1.2. Tharollo ea mak'hadinale e tla ba phetoho ho TLS 1.3 - phetolelo e ncha ea protocol ha e sebelise CBC encryption. Sebakeng seo, ho sebelisoa AES le ChaCha20 tse tšoarellang haholoanyane.
QETELLO
E 'ngoe ea litlhaselo tsa pele ho SSL le TLS 1.0, e fumanoeng ka 2011. Joalo ka POODLE, SEBATA likarolo tsa CBC encryption. Bahlaseli ba kenya moemeli oa JavaScript kapa applet ea Java mochining oa moreki, o nkelang melaetsa sebaka ha o fetisetsa data ho TLS kapa SSL. Kaha bahlaseli ba tseba se ka har'a lipakete tsa "dummy", ba ka li sebelisa ho hlakola vector ea ho qala le ho bala melaetsa e meng ho seva, joalo ka li-cookie tsa netefatso.
Ho tloha kajeno, bofokoli ba BEAST bo ntse bo le teng : Li-server tsa proxy le lits'ebetso tsa ho sireletsa liheke tsa Marang-rang tsa lehae.
Mokhoa oa ho itšireletsa. Mohlaseli o hloka ho romella likopo khafetsa ho hlakola data. Ho VMware fokotsa nako ea SSLSessionCacheTimeout ho tloha ho metsotso e mehlano (tlhahiso ea kamehla) ho isa ho metsotsoana e 30. Mokhoa ona o tla etsa hore ho be thata ho bahlaseli ho phethahatsa merero ea bona, le hoja e tla ba le phello e mpe mosebetsing. Ntle le moo, o hloka ho utloisisa hore ts'oaetso ea BEAST e kanna ea fetoha ntho ea nako e fetileng ka boeona - ho tloha ka 2020, libatli tse kholo ka ho fetisisa. tšehetso bakeng sa TLS 1.0 le 1.1. Leha ho le joalo, ka tlase ho 1,5% ea basebelisi bohle ba sebatli ba sebetsa ka liprothokholo tsena.
KHAHLILE
Ena ke tlhaselo ea li-cross-protocol e sebelisang liphoso ts'ebetsong ea SSLv2 ka linotlolo tsa 40-bit RSA. Mohlaseli o mamela makholo a likhokahano tsa TLS tsa sepheo ebe o romela lipakete tse khethehileng ho seva sa SSLv2 a sebelisa senotlolo se tšoanang sa lekunutu. Ho sebelisa , senokoane se ka hlakola e 'ngoe ho tse ka bang sekete tsa li-TLS tsa bareki.
DROWN e ile ea qala ho tsebahala ka 2016 - joale ho ile ha etsahala lefats'eng. Kajeno ha e so lahleheloe ke bohlokoa ba eona. Har'a libaka tse likete tse 150 tse tsebahalang haholo, 2% e ntse e le teng SSLv2 le mekhoa e hlaselehang habonolo ea encryption.
Mokhoa oa ho itšireletsa. Hoa hlokahala ho kenya lipache tse hlahisitsoeng ke baetsi ba lilaebrari tsa li-cryptographic tse thibelang tšehetso ea SSLv2. Mohlala, lipache tse peli tse joalo li hlahisitsoe bakeng sa OpenSSL (ka 2016 1.0.1s le 1.0.2g). Hape, lintlafatso le litaelo tsa ho tima protocol e tlokotsing li phatlalalitsoe ho , , .
Hlooho ea lefapha la nts'etsopele e re: "Mohloli o ka ba kotsing ea ho HLAHALA ha linotlolo tsa ona li sebelisoa ke seva sa motho oa boraro se nang le SSLv2, joalo ka seva ea mangolo. Sergei Belkin. - Boemo bona bo etsahala haeba li-server tse 'maloa li sebelisa setifikeiti se tloaelehileng sa SSL. Tabeng ena, o hloka ho tima tšehetso ea SSLv2 mechini eohle."
U ka hlahloba hore na sistimi ea hau e hloka ho ntlafatsoa u sebelisa e khethehileng - e entsoe ke litsebi tsa ts'ireletso ea tlhahisoleseling tse fumaneng DROWN. U ka bala ho eketsehileng ka likhothaletso tse amanang le ho sireletsa khahlanong le mofuta ona oa tlhaselo ka .
Ho utloile bohloko
E 'ngoe ea bofokoli bo boholo ho software ke . E fumanoe ka 2014 laebraring ea OpenSSL. Nakong ea phatlalatso ea bug, palo ea liwebsaete tse tlokotsing - sena ke hoo e ka bang 17% ea lisebelisoa tse sirelelitsoeng marang-rang.
Tlhaselo e kenngoa ts'ebetsong ka mojule o monyane oa katoloso ea Heartbeat TLS. Protocol ea TLS e hloka hore data e fetisoe khafetsa. Haeba ho na le nako e telele ea ho theoha, khefu e etsahala 'me khokahanyo e tlameha ho tsosolosoa hape. Ho sebetsana le bothata bona, li-server le bareki ba "lerata" mocha (), ho fetisa pakete ea bolelele bo sa reroang. Haeba e ne e le kholo ho feta pakete eohle, joale mefuta e tlokotsing ea OpenSSL e ne e bala memori ho feta buffer e fanoeng. Sebaka sena se ka ba le datha efe kapa efe, ho kenyeletsoa linotlolo tsa poraefete le lintlha mabapi le likhokahano tse ling.
Kotsi e ne e le teng liphetolelong tsohle tsa laeborari pakeng tsa 1.0.1 le 1.0.1f e kenyellelitsoeng, hammoho le lits'ebetsong tse ngata tsa ts'ebetso - Ubuntu ho fihla ho 12.04.4, CentOS ea khale ho feta 6.5, OpenBSD 5.3 le tse ling. Ho na le lenane le felletseng . Le hoja likhechana tse khahlano le tlokotsi ena li ile tsa lokolloa hang ka mor'a hore li sibolloe, bothata bo ntse bo le teng le kajeno. Ka morao ho 2017 , ho hlaseloa habonolo ke Heartbleed.
Mokhoa oa ho itšireletsa. Ho hlokahala ho fihlela ho mofuta oa 1.0.1g kapa ho feta. U ka boela ua tima likopo tsa Heartbeat ka letsoho u sebelisa khetho ea DOPENSSL_NO_HEARTBEATS. Ka mor'a ntlafatso, litsebi tsa ts'ireletso ea tlhahisoleseding hlahisa litifikeiti tsa SSL hape. Ho hlokahala sebaka se seng haeba data e ho linotlolo tsa encryption e ka qetella e le matsohong a linokoane.
Phapanyetsano ea setifikeiti
Node e laoloang e nang le setifikeiti sa SSL se molaong se kentsoe pakeng tsa mosebelisi le seva, se thibela sephethephethe ka mafolofolo. Node ena e etsisa seva e molaong ka ho hlahisa setifikeiti se nepahetseng, 'me hoa khoneha ho etsa tlhaselo ea MITM.
Ho ea ka lihlopha tse tsoang Mozilla, Google le liunivesithi tse 'maloa, hoo e ka bang 11% ea likhokahano tse sireletsehileng marang-rang lia utluoa. Sena ke sephetho sa ho kenya litifikeiti tsa metso tse belaetsang likhomphuthang tsa basebelisi.
Mokhoa oa ho itšireletsa. Sebelisa litšebeletso tse tšepahalang . O ka sheba "boleng" ba setifikeiti o sebelisa ts'ebeletso (CT). Bafani ba Cloud ba ka boela ba thusa ka ho lemoha ho mamela; lik'hamphani tse ling tse kholo li se li ntse li fana ka lisebelisoa tse khethehileng tsa ho lekola likhokahano tsa TLS.
Mokhoa o mong oa tšireletso e tla ba o mocha ACME, e iketsetsang ho fumana litifikeiti tsa SSL. Ka nako e ts'oanang, e tla eketsa mekhoa e meng ea ho netefatsa mong'a sebaka seo. Tse ling ka eona .
/flickr/ / CC BY
Litebello tsa HTTPS
Leha ho na le mefokolo e mengata, linatla tsa IT le litsebi tsa ts'ireletso ea tlhahisoleseling li na le ts'epo ka bokamoso ba protocol. Bakeng sa ts'ebetsong e sebetsang ea HTTPS Moetsi oa WWW Tim Berners-Lee. Ho ea ka eena, ha nako e ntse e ea, TLS e tla sireletseha haholoanyane, e leng ho tla ntlafatsa haholo tšireletso ea likhokahano. Berners-Lee o bile a etsa tlhahiso ea hore setifikeiti sa moreki bakeng sa netefatso ea boitsebiso. Ba tla thusa ho ntlafatsa tšireletso ea seva ho bahlaseli.
Ho boetse ho reriloe ho nts'etsapele theknoloji ea SSL/TLS ho sebelisoa ho ithuta ka mochini - li-algorithms tse bohlale li tla ikarabella bakeng sa ho sefa sephethephethe se kotsi. Ka likhokahano tsa HTTPS, batsamaisi ha ba na mokhoa oa ho fumana litaba tsa melaetsa e patiloeng, ho kenyelletsa le ho fumana likopo ho tsoa ho malware. Hajoale, marang-rang a neural a khona ho sefa lipakete tse ka bang kotsi ka ho nepahala ha 90%. ().
fumanoeng ke
Litlhaselo tse ngata ho HTTPS ha li amane le mathata a protocol ka boeona, empa ke ts'ehetso ea mekhoa ea khale ea ho kenyelletsa. Indasteri ea IT e qala ho lahla butle-butle liprothokholo tsa moloko o fetileng mme e fana ka lisebelisoa tse ncha tsa ho batla bofokoli. Nakong e tlang, lisebelisoa tsena li tla ba bohlale le ho feta.
Lihokelo tse ling mabapi le sehlooho:
Source: www.habr.com