ProHoster > Ibhulogi > Ulawulo > Uhlaselo olunokwenzeka kwi-HTTPS kunye nendlela yokukhusela kubo

Uhlaselo olunokwenzeka kwi-HTTPS kunye nendlela yokukhusela kubo

Isiqingatha seendawo isebenzisa iHTTPS, yaye inani labo liya lisanda ngokuthe ngcembe. Iprothokholi iyawunciphisa umngcipheko wokunqandwa kwezithuthi, kodwa ayiluphelisi uhlaselo oluzanywa ngolo hlobo. Siza kuthetha ngezinye zazo - POODLE, BEAST, DROWN kunye nabanye - kunye neendlela zokukhusela kwizinto zethu.

Uhlaselo olunokwenzeka kwi-HTTPS kunye nendlela yokukhusela kubo
/Flickr/ Sven Graeme / CC BY-SA

POODLE

Okokuqala malunga nohlaselo POODLE yaziwa ngo-2014. Ubuthathaka kwiprotocol ye-SSL 3.0 yafunyanwa yingcali yokhuseleko lolwazi u-Bodo MΓΆller kunye noogxa bakwaGoogle.

Ubume bayo buhamba ngolu hlobo lulandelayo: i-hacker inyanzelisa umxhasi ukuba adibanise nge-SSL 3.0, exelisa ikhefu loqhagamshelwano. Emva koko ikhangele kwi-encrypted CBC-imowudi yetrafikhi imiyalezo ekhethekileyo yethegi. Ukusebenzisa uthotho lwezicelo ezibumbeneyo, umhlaseli uyakwazi ukwakha kwakhona imixholo yedatha enomdla, efana necookies.

I-SSL 3.0 yiprothokholi ephelelwe lixesha. Kodwa umbuzo wokhuseleko lwakhe usasebenza. Abathengi bayisebenzisela ukuphepha imiba yokuhambelana kunye neeseva. Ngokwedatha ethile, phantse i-7% yeendawo ezingamawaka ezili-100 ezidumileyo isaxhasa i-SSL 3.0. Kwakhona zikhona izilungiso kwiPOODLE ezijolise kwi-TLS 1.0 yale mihla kunye ne-TLS 1.1. Kulo nyaka yavela uhlaselo olutsha lwe-Zombie POODLE kunye neGOLDENDOODLE oludlula ukhuseleko lwe-TLS 1.2 (zisanxulunyaniswa ne-CBC encryption).

Indlela yokuzikhusela. Kwimeko yePOODLE yoqobo, kufuneka ukhubaze inkxaso ye-SSL 3.0. Nangona kunjalo, kule meko kukho umngcipheko weengxaki zokuhambelana. Esinye isisombululo sinokuba yindlela ye-TLS_FALLBACK_SCSV - iqinisekisa ukuba utshintshiselwano lwedatha nge-SSL 3.0 luya kuqhutywa kuphela ngeenkqubo ezindala. Abahlaseli abasayi kuphinda bakwazi ukuqalisa ukuthotywa kweprotocol. Indlela yokukhusela kwiZombie POODLE kunye neGOLDENDOODLE kukukhubaza inkxaso yeCBC kwi-TLS 1.2-based based applications. Isisombululo sekhadinali siya kuba yinguqu kwi-TLS 1.3 - inguqu entsha yeprotocol ayisebenzisi i-encryption ye-CBC. Endaweni yoko, kusetyenziswa i-AES eyomelele ngakumbi kunye ne-ChaCha20.

Irhamncwa

Olunye lohlaselo lokuqala lwe-SSL kunye ne-TLS 1.0, olufunyenwe kwi-2011. Njengo-POODLE, BEAST isebenzisa Iimpawu zoguqulelo oluntsonkothileyo lweCBC. Abahlaseli bafaka i-arhente yeJavaScript okanye i-applet yeJava kumatshini womxhasi, othatha indawo yemiyalezo xa uthumela idatha nge-TLS okanye i-SSL. Kuba abahlaseli besazi imixholo yeepakethi ze-"dummy", banokuzisebenzisa ukukhulula i-vector yokuqalisa kwaye bafunde eminye imiyalezo kwiseva, efana neekuki zoqinisekiso.

Ukusukela namhlanje, ubuthathaka be-BEAST busekhona inani lezixhobo zenethiwekhi zichaphazeleka: Iiseva zommeli kunye nezicelo zokukhusela amasango e-Intanethi asekuhlaleni.

Indlela yokuzikhusela. Umhlaseli kufuneka athumele izicelo rhoqo zokucima idatha. KwiVMware cebisa ukunciphisa ubude bexesha le-SSLSessionCacheTimeout ukusuka kwimizuzu emihlanu (ingcebiso engagqibekanga) ukuya kwimizuzwana engama-30. Le ndlela iya kwenza kube nzima kubahlaseli ukuphumeza izicwangciso zabo, nangona kuya kuba nefuthe elibi ekusebenzeni. Ukongeza, kufuneka uqonde ukuba ukuba sesichengeni kwe-BEAST kungekudala kunokuba yinto yakudala ngokwayo-ukusukela ngo-2020, ezona ziphequluli zikhulu. Yeka inkxaso ye-TLS 1.0 kunye ne-1.1. Kwimeko nayiphi na into, ngaphantsi kwe-1,5% yabo bonke abasebenzisi be-browser basebenza kunye nale migaqo.

AMANZI

Olu luhlaselo lweprotocol olunqamlezayo olusebenzisa iibhugi ekuphunyezweni kwe-SSLv2 ngezitshixo ezingama-40 zeRSA. Umhlaseli uphulaphule amakhulu oqhagamshelwano lwe-TLS ekujoliswe kulo kwaye athumele iipakethi ezikhethekileyo kwi-SSLv2 iseva usebenzisa iqhosha elifanayo labucala. Ukusebenzisa Ukuhlaselwa kweBleichenbacher, iHacker inokususa uguqulelo oluntsonkothileyo malunga newaka leeseshoni zeTLS zabathengi.

IDROWN yaqala ukwaziwa ngo-2016 - emva koko kwaba njalo isinye kwisithathu sabancedisi abachaphazelekayo emhlabeni. Namhlanje ayikaphulukananga nokubaluleka kwayo. Kwi-150 yeendawo ezithandwa kakhulu, i-2% isekho inkxaso SSLv2 kunye neendlela ezintsonkothileyo ezisesichengeni.

Indlela yokuzikhusela. Kuyimfuneko ukufakela iipetshi ezicetyiswe ngabaphuhlisi bamathala eencwadi e-cryptographic akhubaza inkxaso ye-SSLv2. Umzekelo, iipatches ezimbini ezinjalo zanikwa i-OpenSSL (ngo-2016 ezi ibiluhlaziyo 1.0.1s kunye ne-1.0.2g). Kwakhona, uhlaziyo kunye nemiyalelo yokukhubaza iprotocol esengozini yapapashwa kuyo Red Hat, Apache, Debian.

"Isixhobo sinokuba sesichengeni se-DROWN ukuba izitshixo zayo zisetyenziswa ngumncedisi womntu wesithathu nge-SSLv2, njengeseva ye-imeyile," iphawula intloko yesebe lophuhliso. Umboneleli we-IaaS 1cloud.ru USergei Belkin. Le meko yenzeka ukuba abancedisi abaninzi basebenzisa isatifikethi se-SSL esiqhelekileyo. Kule meko, kufuneka ucime inkxaso ye-SSLv2 kubo bonke oomatshini."

Ungajonga ukuba ingaba isixokelelwano sakho sifuna ukuhlaziywa usebenzisa eyodwa izinto eziluncedo β€” yaphuhliswa ziingcali zokhuseleko lolwazi ezifumanise iDROWN. Unokufunda ngakumbi malunga nezindululo ezinxulumene nokukhuselwa kolu hlobo lohlaselo kwi thumela kwiwebhusayithi ye-OpenSSL.

Intliziyo

Obona buthathaka bukhulu kwisoftware Intliziyo. Yafunyanwa ngo-2014 kwithala leencwadi le-OpenSSL. Ngexesha lokubhengezwa kwe-bug, inani leewebhusayithi ezisengozini kuqikelelwa kwisiqingatha sesigidi - oku malunga ne-17% yemithombo ekhuselweyo kuthungelwano.

Uhlaselo luphunyezwa ngemodyuli encinci ye-Heartbeat TLS yokwandisa. Iprotocol ye-TLS ifuna ukuba idatha idluliselwe ngokuqhubekayo. Kwimeko yokuphumla kwexesha elide, ikhefu lenzeka kwaye uxhulumaniso kufuneka lusekwe kwakhona. Ukujongana nengxaki, abancedisi kunye nabaxhasi "ingxolo" yetshaneli (RFC 6520, p.5), ukuhambisa ipakethi yobude obungaqhelekanga. Ukuba ibinkulu kunepakethi yonke, ke iinguqulelo ezisesichengeni ze-OpenSSL zifundeka ngenkumbulo ngaphaya kwesithinteli esinikiweyo. Le ndawo ingaqulatha nayiphi na idata, ukuquka nezitshixo zabucala zoguqulelo oluntsonkothileyo kunye nolwazi malunga nolunye uqhagamshelo.

Umngcipheko wawukhona kuzo zonke iinguqulelo zethala leencwadi phakathi kwe-1.0.1 kunye ne-1.0.1f equkayo, kunye nakwinani leenkqubo zokusebenza - Ubuntu ukuya kwi-12.04.4, i-CentOS endala kune-6.5, i-OpenBSD 5.3 kunye nezinye. Kukho uluhlu olupheleleyo kwiwebhusayithi enikezelwe kwiHeartbleed. Nangona amabala achasene nobu sesichengeni akhululwa ngokukhawuleza emva kokufunyanwa kwawo, ingxaki isasebenza nanamhlanje. Emva ngo-2017 phantse 200 amawaka esayithi esebenzayo, uchaphazeleka kwiHeartbleed.

Indlela yokuzikhusela. Kubalulekile hlaziya i-OpenSSL ukuya kwinguqulo 1.0.1g okanye ngaphezulu. Ungakwazi nokuvala izicelo zeHeartbeat ngesandla usebenzisa iDOPENSSL_NO_HEARTBEATS ukhetho. Emva kohlaziyo, iingcali zokhuseleko lolwazi cebisa khupha kwakhona izatifikethi ze-SSL. Ukutshintshwa kuyafuneka kwimeko apho idatha ekwizitshixo ezifihliweyo iphelela ezandleni zabahlaseli.

Ukutshintshwa kwesatifikethi

Indawo elawulwayo enesatifikethi se-SSL esisemthethweni ifakwe phakathi komsebenzisi kunye nomncedisi, ibamba ngenkuthalo itrafikhi. Le node ilinganisa umncedisi osemthethweni ngokubonisa isatifikethi esisebenzayo, kwaye kuyakwenzeka ukwenza uhlaselo lwe-MITM.

Ngokutsho uphando amaqela asuka eMozilla, kuGoogle nakwidyunivesithi ezininzi, malunga ne-11% yoqhagamshelo olukhuselekileyo kuthungelwano luyavalelwa. Esi sisiphumo sokuhlohla izatifikethi zeengcambu ezikrokrelayo kwiikhompyuter zabasebenzisi.

Indlela yokuzikhusela. Sebenzisa iinkonzo ezithembekileyo ababoneleli nge-SSL. Ungajonga "umgangatho" wezatifikethi usebenzisa le nkonzo Isatifikethi sokuNgafihlisi (CT). Ababoneleli ngamafu banokunceda ekuboneni i-eavesdropping; ezinye iinkampani ezinkulu sele zibonelela ngezixhobo ezikhethekileyo zokujonga unxibelelwano lwe-TLS.

Enye indlela yokukhusela iya kuba yinto entsha umgangatho I-ACME, eyenza ngokuzenzekelayo ukufumana izatifikethi ze-SSL. Kwangaxeshanye, iyakongeza iindlela ezongezelelweyo zokuqinisekisa umnini wesiza. Okunye malunga nayo sabhala kwenye yezinto zethu zangaphambili.

Uhlaselo olunokwenzeka kwi-HTTPS kunye nendlela yokukhusela kubo
/Flickr/ KaYuri Samoilov / CC BY

Amathuba e-HTTPS

Ngaphandle kwenani lobuthathaka, izikhulu ze-IT kunye neengcali zokhuseleko lolwazi ziqinisekile ngekamva leprotocol. Ukuphunyezwa okusebenzayo kwe-HTTPS abacebisi Umyili weWWW uTim Berners-Lee. Ngokutsho kwakhe, ngokuhamba kwexesha i-TLS iya kukhuseleka ngakumbi, eya kuphucula kakhulu ukhuseleko loqhagamshelwano. UBerners-Lee wade wayicebisa loo nto iya kuvela kwixesha elizayo izatifikethi zomxhasi zoqinisekiso lwesazisi. Baya kunceda ukuphucula ukhuseleko lomncedisi kubahlaseli.

Kwakhona kucetywa ukuphuhlisa iteknoloji ye-SSL/TLS kusetyenziswa umatshini wokufunda-i-algorithms ehlakaniphile iya kuba noxanduva lokucoca i-traffic enobungozi. Ngoqhagamshelo lwe-HTTPS, abalawuli abanayo indlela yokufumana imixholo yemiyalezo efihliweyo, kubandakanya ukufumanisa izicelo kwi-malware. Okwangoku, iinethiwekhi ze-neural ziyakwazi ukuhluza iipakethi ezinokuba yingozi ngokuchaneka kwe-90%. (umboniso wesilayidi 23).

ezifunyanisiweyo

Uninzi lohlaselo kwi-HTTPS alunxulumananga neengxaki ngeprothokholi ngokwayo, kodwa kukuxhasa iindlela zofihlo eziphelelwe lixesha. Ishishini le-IT liqala ukulahla ngokuthe ngcembe iiprothokholi zesizukulwana sangaphambili kwaye linikeze izixhobo ezitsha zokukhangela ubuthathaka. Kwixesha elizayo, ezi zixhobo ziya kuba krelekrele ngakumbi.

Iilinki ezongezelelweyo ngesihloko:

umthombo: www.habr.com

Yongeza izimvo