Ikhonkco lokuthembela. I-CC BY-SA 4.0
Ukuhlolwa kwetrafikhi ye-SSL (i-SSL/TLS decryption, i-SSL okanye uhlalutyo lwe-DPI) iya isiba sisihloko esikhulayo sengxoxo kwicandelo loshishino. Umbono wokukhutshwa kwetrafikhi kubonakala ngathi uyaphikisana nombono we-cryptography. Nangona kunjalo, inyani yinyani: ngakumbi nangakumbi iinkampani zisebenzisa itekhnoloji yeDPI, icacisa oku ngesidingo sokujonga umxholo we-malware, ukuvuza kwedatha, njl.
Ewe, ukuba siyayamkela into yokuba ubuchwephesha obunjalo kufuneka buphunyezwe, ngoko ke kufuneka siqwalasele iindlela zokukwenza ngeyona ndlela ikhuselekileyo nelawulwa kakuhle. Ubuncinane ungathembeli kwezo zatifikethi, umzekelo, ukuba umthengisi wenkqubo ye-DPI akunika yona.
Kukho inkalo enye yokuphunyezwa ekungenguye wonke umntu owaziyo ngayo. Enyanisweni, abantu abaninzi bothuka ngokwenene xa besiva ngayo. Eli ligunya lezatifikethi zabucala (CA). Ivelisa izatifikethi zokususa uguqulelo oluntsonkothileyo kunye nokubethelwa kwakhona kwetrafikhi.
Endaweni yokuxhomekeka kwizatifikethi ezizisayinileyo okanye izatifikethi ezivela kwizixhobo zeDPI, ungasebenzisa i-CA ezinikeleyo kwigunya lesatifikethi somntu wesithathu njengeGlobalSign. Kodwa kuqala, makhe senze amagqabantshintshi ngengxaki ngokwayo.
Yintoni ukuhlolwa kwe-SSL kwaye kutheni isetyenziswa?
Iiwebhusayithi ezininzi zoluntu zifudukela kwi-HTTPS. Umzekelo, ngokutsho , ekuqaleni kukaSeptemba 2019, isabelo setrafikhi efihliweyo eRashiya sifikelele kwi-83%.
Ngelishwa, uguqulelo oluntsonkothileyo lwetrafikhi lusanda kusetyenziswa ngabahlaseli, ngakumbi kuba Masibhale sisasaza amawaka ezatifikethi zasimahla ze-SSL ngendlela ezenzekelayo. Ke, i-HTTPS isetyenziswa kuyo yonke indawo - kwaye i-padlock kwibar yedilesi yesikhangeli iyekile ukusebenza njengesalathisi esithembekileyo sokhuseleko.
Abavelisi bezisombululo zeDPI bakhuthaza iimveliso zabo kwezi zikhundla. Zizinziswe phakathi kwabasebenzisi bokugqibela (oko kukuthi abasebenzi bakho bajonga iwebhu) kunye ne-Intanethi, behluza ukugcwala okungalunganga. Kukho inani leemveliso ezinjalo kwimarike namhlanje, kodwa iinkqubo ziyafana. I-HTTPS yetrafikhi idlula kwisixhobo sokuhlola apho ikhutshiwe kwaye ijongiwe i-malware.
Nje ukuba uqinisekiso lugqityiwe, isixhobo senza iseshoni entsha ye-SSL kunye nomxhasi wokugqibela ukucoca kunye nokubethela kwakhona umxholo.
Isebenza njani inkqubo yoguqulelo oluntsonkothileyo/uguqulelo oluntsonkothileyo
Ukuze isixhobo sokuhlola se-SSL sisuse ukuntsonkotha kwaye siphinde sibethelwe iipakethi phambi kokuba sizithumele kubasebenzisi bokuphela, kufuneka sikwazi ukukhupha izatifikethi ze-SSL ngokukhawuleza. Oku kuthetha ukuba kufuneka ifakwe isatifikethi se-CA.
Kubalulekile kwinkampani (okanye nabani na ophakathi) ukuba ezi zatifikethi ze-SSL zithenjwa ngabaphequluli (oko kukuthi, musa ukuqalisa imiyalezo eyoyikisayo efana nale ingezantsi). Ngoko ke ikhonkco le-CA (okanye uluhlu lwemigangatho) kufuneka lube kwi-trust store yesikhangeli. Ngenxa yokuba ezi zatifikethi zingakhutshwanga kwabasemagunyeni bezatifikethi ezithenjiweyo eluntwini, kufuneka usasaze ngesandla ulawulo lwe-CA kubo bonke abathengi.
Umyalezo wesilumkiso wesatifikethi esizisayinileyo kwiChrome. Umthombo:
Kwiikhompyuter zeWindows, unokusebenzisa i-Active Directory kunye neMigaqo-nkqubo yeQela, kodwa kwizixhobo eziphathwayo inkqubo inzima kakhulu.
Imeko iba nzima ngakumbi ukuba ufuna ukuxhasa ezinye izatifikethi zeengcambu kwindawo yeshishini, umzekelo, ukusuka kuMicrosoft, okanye ngokusekelwe kwi-OpenSSL. Plus ukhuseleko kunye nolawulo izitshixo zabucala ukuze naziphi izitshixo musa ukuphelelwa kungalindelekanga.
Eyona ndlela ingcono: isiqinisekiso sengcambu sabucala, esizinikeleyo esivela kwiqela lesithathu le-CA
Ukuba ukulawula iingcambu ezininzi okanye izatifikethi zokuzisayina akuthandeki, kukho enye inketho: ukuxhomekeka kwi-CA yesithathu. Kule meko, izatifikethi zikhutshwa bucala i-CA edityaniswe kwikhonkco lokuthembela kwi-CA ezinikeleyo, yabucala eyenzelwe inkampani ngokukodwa.
Ulwakhiwo olulula lwezatifikethi zeengcambu zabaxumi abazinikeleyo
Olu cwangciso luphelisa ezinye zeengxaki ezikhankanywe ngaphambili: ubuncinane kunciphisa inani leengcambu ezifuna ukulawulwa. Apha ungasebenzisa ingcambu enye yegunya labucala kuzo zonke iimfuno zangaphakathi ze-PKI, nalo naliphi na inani leeCA eziphakathi. Ngokomzekelo, lo mzobo ungentla ubonisa i-hierarchy yamanqanaba amaninzi apho enye ye-CAs ephakathi isetyenziselwa ukuqinisekiswa kwe-SSL / i-decryption kwaye enye isetyenziselwa iikhomputha zangaphakathi (iilaptops, iiseva, iidesktops, njl.).
Kulo yilo, akukho mfuneko yokubamba i-CA kubo bonke abathengi ngenxa yokuba i-CA yezinga eliphezulu ibanjwe yi-GlobalSign, exazulula ukhuseleko lwangasese kunye nemiba yokuphelelwa yisikhathi.
Enye inzuzo yale ndlela kukukwazi ukurhoxisa igunya lokuhlola i-SSL nangasiphi na isizathu. Endaweni yoko, entsha yenziwe ngokulula, ebotshelelwe kwingcambu yakho yabucala, kwaye ungayisebenzisa kwangoko.
Ngaphandle kwayo yonke impikiswano, amashishini asanda kuphumeza ukuhlolwa kwetrafikhi ye-SSL njengenxalenye yeziseko zabo zangaphakathi okanye zabucala ze-PKI. Olunye usetyenziso lwe-PKI yabucala lubandakanya ukukhupha izatifikethi zesixhobo okanye uqinisekiso lomsebenzisi, i-SSL yeeseva zangaphakathi, kunye nolungelelwaniso olwahlukeneyo olungavumelekanga kwizatifikethi ezithembekileyo zikawonke-wonke njengoko kufunwa yi-CA/Browser Forum.
Abakhangeli bayalwa
Kufuneka kuqatshelwe ukuba abaphuhlisi besiphequluli bazama ukulwa nalo mkhwa kwaye bakhusele abasebenzisi bokugqibela kwi-MiTM. Umzekelo, kwiintsuku ezimbalwa ezidlulileyo Mozilla Yenza iprotocol ye-DoH (DNS-over-HTTPS) ngokuzenzekela kwenye yeenguqulelo zesikhangeli esilandelayo kwiFirefox. Iprotocol ye-DoH ifihla imibuzo ye-DNS kwinkqubo ye-DPI, yenze uhlolo lwe-SSL lubenzima.
Malunga nezicwangciso ezifanayo ngoSeptemba 10, 2019 UGoogle wesiphequluli seChrome.
Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. , ndiyacela.
Ngaba ucinga ukuba inkampani inelungelo lokuhlola i-SSL traffic yabasebenzi bayo?
-
Ewe, ngemvume yabo
-
Hayi, ukucela loo mvume akukho mthethweni kwaye/okanye akukho semthethweni
Bangama-122 abasebenzisi abavotileyo. Abasebenzisi abali-15 abakhange.
umthombo: www.habr.com