Ngaphambili, izatifikethi bezisoloko ziphelelwa lixesha kuba kwakufuneka zihlaziywe ngesandla. Abantu basuka balibala ukuyenza. Ngokufika kwe-Let Encrypt kunye nenkqubo yohlaziyo oluzenzekelayo, kubonakala ngathi ingxaki kufuneka isonjululwe. Kodwa kutshanje ibonisa ukuba, enyanisweni, isabalulekile. Ngelishwa, izatifikethi ziyaqhubeka nokuphelelwa lixesha.
Ukuba uphosile ibali, ezinzulwini zobusuku ngoMeyi 4, 2019, phantse zonke izandiso zeFirefox zayeka ukusebenza ngequbuliso.
Njengoko kwavela, ukusilela okukhulu kwenzeka ngenxa yokuba iMozilla , eyayisetyenziselwa ukutyikitya izandiso. Ke ngoko, zaphawulwa njenge "zingasebenziyo" kwaye azizange ziqinisekiswe (). Kwiiforamu, njengendlela yokusebenza, kuye kwacetyiswa ukuba kucinywe uqinisekiso lwesiginitsha esongezelelweyo malunga: config okanye ukutshintsha inkqubo iwotshi.
I-Mozilla yakhupha ngokukhawuleza isiqwenga seFirefox 66.0.4, esisombulula ingxaki ngesatifikethi esingasebenziyo, kwaye zonke izandiso zibuyela kwisiqhelo. Abaphuhlisi batusa ukuyifaka kwaye akukho ndlela zokusebenzela ukugqitha ukuqinisekiswa komsayino kuba zinokungqubana nepetshi.
Nangona kunjalo, eli bali kwakhona libonisa ukuba ukuphelelwa kwesatifikethi kuhlala kungumba ocinezelayo namhlanje.
Ngokuphathelele kulo mba, kunomdla ukujonga indlela eyiyo ukuba abaphuhlisi beprotocol bawujongane njani nalo msebenzi . Isisombululo sabo sinokwahlulwa sibe ngamacandelo amabini. Okokuqala, ezi zizatifikethi zexesha elifutshane. Okwesibini, abasebenzisi besilumkiso malunga nokuphelelwa kwexesha elide.
DNSCrypt
I-DNSCrypt yi-DNS traffic encryption protocol. Ikhusela unxibelelwano lwe-DNS kwi-interceptions kunye ne-MiTMs, kwaye ikuvumela ukuba udlule ukuthintela kwinqanaba lombuzo we-DNS.
Iprotocol isonga i-DNS traffic phakathi komxhasi kunye nomncedisi kwi-cryptographic construct, esebenza phezu kwe-UDP kunye ne-TCP protocols zothutho. Ukuyisebenzisa, bobabini umxhasi kunye nomlungisi we-DNS kufuneka baxhase i-DNSCrypt. Ngokomzekelo, ukususela ngo-Matshi 2016, inikwe amandla kwiiseva zayo ze-DNS kunye nakwi-browser ye-Yandex. Abanye ababoneleli abaninzi baye babhengeza inkxaso, kubandakanya uGoogle kunye neCloudflare. Ngelishwa, akukho baninzi kubo (iiseva ze-152 zoluntu ze-DNS zidweliswe kwiwebhusayithi esemthethweni). Kodwa inkqubo inokufakwa ngesandla kwiLinux, Windows kunye nabathengi beMacOS. Kukho kwakhona .
Isebenza njani iDNSCrypt? Ngokufutshane, umxhasi uthatha isitshixo sikawonke-wonke somboneleli okhethiweyo kwaye uyisebenzisele ukuqinisekisa izatifikethi zakhe. Izitshixo zikawonke-wonke zexesha elifutshane zeseshini kunye nesichongi se-cipher suite sele sikhona. Abathengi bakhuthazwa ukuba benze isitshixo esitsha kwisicelo ngasinye, kwaye abancedisi bakhuthazwa ukuba batshintshe izitshixo rhoqo iiyure ezingama-24. Xa utshintshisa izitshixo, i-algorithm ye-X25519 isetyenziselwa ukusayinwa - i-EdDSA, i-encryption yebhloko - XSalsa20-Poly1305 okanye i-XChaCha20-Poly1305.
Omnye wabaphuhlisi beprotocol uFrank Denis ukuba ukutshintshwa okuzenzekelayo rhoqo kwiiyure ezingama-24 kusonjululwe ingxaki yezatifikethi eziphelelwe lixesha. Ngokomgaqo, umxhasi wereferensi ye-dnscrypt-proxy wamkela izatifikethi ngalo naliphi na ixesha lokuqinisekisa, kodwa ukhupha isilumkiso "Ixesha elingundoqo le-dnscrypt-proxy yale seva lide kakhulu" ukuba lisebenza ngaphezu kweeyure ezingama-24. Ngelo xesha, umfanekiso we-Docker wakhululwa, apho utshintsho olukhawulezayo lwezitshixo (kunye nezatifikethi) zaphunyezwa.
Okokuqala, iluncedo kakhulu kukhuseleko: ukuba umncedisi usengozini okanye isitshixo sivuziwe, ngoko itrafikhi yayizolo ayinakukhutshelwa. Isitshixo sele sitshintshile. Oku kuya kubangela ingxaki ekuphunyezweni koMthetho weYarovaya, onyanzelisa ababoneleli ukuba bagcine zonke iitrafikhi, kubandakanywa ne-encrypted traffic. Intsingiselo yeyokuba ingacinywa kamva xa kukho imfuneko ngokucela isitshixo kwisiza. Kodwa kule meko, indawo ayinakukwazi ukubonelela, kuba isebenzisa izitshixo zexesha elifutshane, ukucima amadala.
Kodwa okona kubaluleke kakhulu, uDenis ubhala, izitshixo zexesha elifutshane zinyanzela iiseva ukuba zisete i-automation ukusuka kusuku lokuqala. Ukuba umncedisi uqhagamshela kuthungelwano kwaye izikripthi zotshintsho olungundoqo azibunjwanga okanye zingasebenzi, oku kuya kubhaqwa ngoko nangoko.
Xa i-automation itshintsha izitshixo rhoqo emva kweminyaka embalwa, ayinakuthenjwa, kwaye abantu banokulibala malunga nokuphelelwa kwesatifikethi. Ukuba utshintsha izitshixo yonke imihla, oku kuya kubhaqwa ngoko nangoko.
Ngexesha elifanayo, ukuba i-automation iqulunqwe ngokuqhelekileyo, ngoko akunandaba ukuba izitshixo zitshintshwa kaninzi kangakanani: ngonyaka, ikota nganye okanye kathathu ngosuku. Ukuba yonke into isebenza ngaphezu kweeyure ze-24, iya kusebenza ngonaphakade, ubhala uFrank Denis. Ngokutsho kwakhe, isincomo sokujikeleza okubalulekileyo kwimihla ngemihla kwinguqulelo yesibini yeprotocol, kunye nomfanekiso weDocker owenziweyo owenziweyo, wanciphisa ngokufanelekileyo inani labancedisi abanezatifikethi eziphelelwe lixesha, ngelixa kwangaxeshanye bephucula ukhuseleko.
Nangona kunjalo, abanye ababoneleli basagqiba, ngenxa yezizathu ezithile zobugcisa, ukuseta ixesha lokuqinisekiswa kwesatifikethi ngaphezu kweeyure ezingama-24. Le ngxaki yasonjululwa kakhulu ngemigca embalwa yekhowudi kwi-dnscrypt-proxy: abasebenzisi bafumana isilumkiso solwazi kwiintsuku ezingama-30 ngaphambi kokuba isatifikethi siphelelwe lixesha, omnye umyalezo onenqanaba elibukhali eliphakamileyo leentsuku ezi-7 ngaphambi kokuphelelwa, kunye nomyalezo obalulekileyo ukuba isatifikethi sinayo nayiphi na into eseleyo. ukusebenza ngaphantsi kweeyure ezingama-24. Oku kusebenza kuphela kwizatifikethi ezinexesha elide lokuqinisekisa.
Le miyalezo inika abasebenzisi ithuba lokwazisa abaqhubi be-DNS ngokuphelelwa kwesatifikethi okuzayo ngaphambi kokuba kube kade kakhulu.
Mhlawumbi ukuba bonke abasebenzisi beFirefox bafumene umyalezo onjalo, ngoko umntu uya kwazisa abaphuhlisi kwaye bangasivumeli ukuba isatifikethi siphelelwe lixesha. "Andikhumbuli iseva enye ye-DNSCrypt kuluhlu lweeseva zoluntu ze-DNS eziye zaphelelwa isatifikethi sayo kwiminyaka emibini okanye emithathu edlulileyo," ubhala uFrank Denis. Kuyo nayiphi na imeko, kungcono ukubalumkisa abasebenzisi kuqala kunokukhubaza izandiso ngaphandle kwesilumkiso.
umthombo: www.habr.com