Ukuze isikhangeli siqinisekise iwebhusayithi, izivezela ngekhonkco lesatifikethi esisebenzayo. Ikhonkco eliqhelekileyo libonisiwe ngasentla, kwaye kunokubakho ngaphezu kwesinye isatifikethi esiphakathi. Elona nani lincinane lezatifikethi kwikhonkco elisebenzayo lithathu.
Isatifikethi esiyingcambu yintliziyo yegunya lesatifikethi. Yakhelwe ngokwenyani kwi-OS yakho okanye isikhangeli, ikhona ngokwasemzimbeni kwisixhobo sakho. Ayinakuguqulwa ukusuka kwicala lomncedisi. Uhlaziyo olunyanzelekileyo lwe-OS okanye i-firmware kwisixhobo siyafuneka.
Ingcali kwezoKhuseleko uScott Helme , ukuba iingxaki eziphambili ziya kuvela kunye ne-Let Encrypt certification igunya, kuba namhlanje yi-CA ethandwa kakhulu kwi-Intanethi, kwaye isatifikethi sayo sengcambu siya kuhamba kakubi. Ukutshintsha i-Let Encrypt root .
Isiphelo kunye nezatifikethi eziphakathi zogunyaziwe woqinisekiso (CA) zisiwa kumxhasi ovela kumncedisi, kwaye isiqinisekiso sengcambu sisuka kumxhasi. sele ikhona, ke ngale ngqokelela yezatifikethi umntu unokwakha ikhonkco kwaye aqinisekise iwebhusayithi.
Ingxaki kukuba isatifikethi ngasinye sinomhla wokuphelelwa, emva koko kufuneka sitshintshwe. Umzekelo, ukusukela nge-1 kaSeptemba 2020, baceba ukwazisa umda kwixesha elisemthethweni lezatifikethi ze-TLS zeseva kwisikhangeli seSafari. .
Oku kuthetha ukuba sonke kuya kufuneka sitshintshe izatifikethi zethu zeseva ubuncinci rhoqo kwiinyanga ezili-12. Esi sithintelo sisebenza kuphela kwizatifikethi zeseva; hayi Isebenza kwiingcambu zezatifikethi ze-CA.
Izatifikethi ze-CA zilawulwa yimigaqo eyahlukeneyo kwaye ke ngoko zinemida eyahlukeneyo yokuqinisekisa. Kuqheleke kakhulu ukufumana izatifikethi eziphakathi kunye nexesha elisemthethweni le-5 iminyaka kunye nezatifikethi zeengcambu kunye nobomi benkonzo ye-25 iminyaka!
Ngokuqhelekileyo akukho ngxaki kunye nezatifikethi eziphakathi, kuba zinikezelwa kumxhasi ngumncedisi, yona ngokwayo itshintsha isatifikethi sayo rhoqo, ngoko ithatha indawo yesinye esiphakathi kwinkqubo. Kulula kakhulu ukuyibuyisela kunye nesatifikethi somncedisi, ngokungafaniyo nengcambu yesatifikethi se-CA.
Njengoko besesitshilo, ingcambu ye-CA yakhiwe ngokuthe ngqo kwisixhobo somthengi ngokwayo, kwi-OS, umkhangeli zincwadi okanye enye isoftware. Ukutshintsha ingcambu ye-CA kungaphaya kolawulo lwewebhusayithi. Oku kufuna uhlaziyo kumthengi, nokuba yi-OS okanye uhlaziyo lwesoftware.
Ezinye iingcambu ze-CA ziye zahlala ixesha elide, sithetha malunga ne-20-25 iminyaka. Kungekudala ezinye ze-CA zengcambu ezindala ziza kusondela ekupheleni kobomi babo bendalo, ixesha labo liphantse liphelile. Kwabaninzi bethu oku akuyi kuba yingxaki konke konke ngenxa yokuba ii-CA zenze izatifikethi ezintsha zeengcambu kwaye zisasazwe kwihlabathi lonke kwi-OS kunye nohlaziyo lwebrawuza iminyaka emininzi. Kodwa ukuba umntu akahlaziyo i-OS okanye isikhangeli sakhe ixesha elide, luhlobo lwengxaki.
Le meko yenzeka nge-30 kaMeyi, 2020 ngo-10:48:38 GMT. Eli lixesha elichanekileyo ukusuka kwigunya leziqinisekiso zeComodo (Sectigo).
Yayisetyenziselwa ukusayina ngokunqamlezayo ukuqinisekisa ukuhambelana nezixhobo zelifa ezingenaso isiqinisekiso esitsha sengcambu se-USERTrust kwivenkile yazo.
Ngelishwa, iingxaki azivelanga kuphela kwiziphequluli zelifa, kodwa nakubathengi abangabakhangeli abasekwe kwi-OpenSSL 1.0.x, LibreSSL kunye . Umzekelo, kwiibhokisi zokuseta-phezulu , inkonzo , e Fortinet, Charge izicelo, kwi .NET Core 2.0 iqonga Linux kunye .
Kwakucingelwa ukuba ingxaki iya kuchaphazela kuphela iinkqubo zelifa (i-Android 2.3, i-Windows XP, i-Mac OS X 10.11, i-iOS 9, njl.), kuba iiphequluli zanamhlanje zingasebenzisa i-USERTRust yesibini isatifikethi sengcambu. Kodwa eneneni, iintsilelo zaqala kumakhulu eenkonzo zewebhu ezisebenzise i-OpenSSL 1.0.x yasimahla kunye namathala eencwadi e-GnuTLS. Umdibaniso okhuselekileyo awusakwazi kusekwa ngomyalezo wemposiso obonisa ukuba isatifikethi siphelelwe lixesha.
Okulandelayo-MasiChwepheshe
Omnye umzekelo omhle wengcambu ezayo yotshintsho lwe-CA ligunya lesatifikethi se-Let's Fihla. Kaninzi baceba ukutshintshela kwikhonkco le-Identrust baye kweyabo ikhonkco le-ISRG Root, kodwa oku .
"Ngenxa yenkxalabo malunga nokunqongophala kokwamkelwa kwengcambu ye-ISRG kwizixhobo ze-Android, sigqibe kwelokuba sisuse umhla wenguqu yengcambu ukusuka nge-8 kaJulayi 2019 ukuya kwi-8 kaJulayi, 2020," utshilo u-Let Encrypt kwingxelo.
Umhla bekufuneka uhlehliswe ngenxa yengxaki ebizwa ngokuba yi-"root propagation", okanye ngokuchanekileyo, ukungabikho kokusasazwa kweengcambu, xa i-CA yengcambu ingasasazwanga kakhulu kubo bonke abathengi.
Masi Fihla okwangoku sisebenzisa isatifikethi esiphakathi esisayiniweyo esibotshelelwe kwi-IdenTrust DST Root CA X3. Esi satifikethi sengcambu sakhutshwa ngoSeptemba 2000 kwaye siphelelwa nge-30 kaSeptemba 2021. Kude kube lelo xesha, Masibethele izicwangciso zokufudukela kwi-ISRG Root X1 ezisayinileyo.
Ingcambu ye-ISRG ikhutshwe nge-4 kaJuni ngo-2015. Emva koku, inkqubo yokuvunywa kwayo njengegunya lezatifiketi yaqala, eyaphela . Ukusukela kweli nqanaba ukuya phambili, ingcambu yeCA yayifumaneka kubo bonke abathengi ngokusebenzisa inkqubo yokusebenza okanye uhlaziyo lwesoftware. Okwakufuneka uyenzile kukufakela uhlaziyo.
Kodwa yingxaki leyo.
Ukuba ifowuni yakho ephathwayo, iTV okanye esinye isixhobo asizange sihlaziywe iminyaka emibini, iya kwazi njani ngesiqinisekiso esitsha se-ISRG Root X1? Kwaye ukuba awuyifaki kwisixokelelwano, ngoko isixhobo sakho siya kuzenza zingasebenzi zonke izatifikethi zomncedisi weLet's Encrypted kamsinya nje emva kokuba MasiFihlise sitshintshele kwingcambu entsha. Kwaye kwi-ecosystem ye-Android kukho izixhobo ezininzi eziphelelwe lixesha ezingakhange zihlaziywe ixesha elide.
I-ecosystem ye-Android
Kungenxa yesi sizathu le nto Masi Fihla ilibazisekile ukuya kwingcambu yayo ye-ISRG kwaye isasebenzisa isiphakathi esihla siye kwingcambu ye-IdenTrust. Kodwa utshintsho kuya kufuneka lwenziwe kuyo nayiphi na imeko. Kwaye umhla wokutshintsha kweengcambu unikezelwe .
Ukukhangela ukuba ISRG X1 ingcambu ifakwe kwisixhobo sakho (iTV, ibhokisi yokusetha-phezulu okanye omnye umxhasi), vula indawo yovavanyo. . Ukuba akukho silumkiso sokhuseleko sivelayo, ngoko yonke into ihlala ilungile.
Masifihle ayisiyiyo yodwa ejongene nomngeni wokufudukela kwingcambu entsha. I-Cryptography kwi-Intanethi yaqala ukusetyenziswa ngaphezulu kweminyaka engama-20 eyadlulayo, ngoku lixesha apho izatifikethi ezininzi zeengcambu sele ziza kuphelelwa lixesha.
Abanini beeTV ezihlakaniphile abangayihlaziyanga isoftware yeSmart TV iminyaka emininzi banokudibana nale ngxaki. Umzekelo, ingcambu entsha yeGlobalSign yakhululwa ngo-2012, kwaye emva kokuba ezinye iiTV ezindala ze-Smart azikwazi ukwakha ikhonkco kuyo, ngenxa yokuba abanayo le ngcambu ye-CA. Ngokukodwa, aba bathengi abakwazanga ukuseka unxibelelwano olukhuselekileyo kwiwebhusayithi ye-bbc.co.uk. Ukusombulula ingxaki, abalawuli beBBC kuye kwafuneka babhenele kwiqhinga: bona ngokusebenzisa izatifikethi ezongezelelweyo eziphakathi, usebenzisa iingcambu ezindala ΠΈ , ezingekaboli.
www.bbc.co.uk (Leaf) GlobalSign ECC OV SSL CA 2018 (Intermediate) GlobalSign Root CA - R5 (Intermediate) GlobalSign Root CA - R3 (I-Intermediate)
Esi sisisombululo sexeshana. Ingxaki ayizukuhamba ngaphandle kokuba uhlaziye isoftware yomxhasi. I-smart TV yikhompyuter esebenza ngokulinganiselweyo eqhuba iLinux. Kwaye ngaphandle kohlaziyo, izatifikethi zeengcambu zayo ngokuqinisekileyo ziya kubola.
Oku kusebenza kuzo zonke izixhobo, hayi iiTV kuphela. Ukuba unaso nasiphi na isixhobo esiqhagamshelwe kwi-Intanethi kwaye sapapashwa njengesixhobo "esihlakaniphile", ke ingxaki yezatifikethi ezibolileyo ngokuqinisekileyo iyayikhathaza. Ukuba isixhobo asihlaziywanga, ingcambu yevenkile ye-CA iya kuphelelwa lixesha kwaye ekugqibeleni ingxaki iya kuvela. Ingxaki eyenzeka kamsinya kangakanani ixhomekeke ekubeni ivenkile yeengcambu igqibele nini ukuhlaziywa. Oku kunokuba yiminyaka emininzi phambi komhla wokukhutshwa kwesixhobo.
Ngendlela, le yingxaki yokuba kutheni amanye amaqonga eendaba amakhulu engakwazi ukusebenzisa abasemagunyeni bezatifikethi ezizenzekelayo ezinje ngeMasibethele, ubhala uScott Helme. Azifanelanga iiTV ezihlakaniphile, kwaye inani leengcambu lincinci kakhulu ukuqinisekisa inkxaso yesatifikethi kwizixhobo zelifa. Ngaphandle koko, iTV ayinakukwazi ukuzisa iinkonzo zokusasaza zangoku.
Isiganeko samva nje kunye ne-AddTrust sibonise ukuba iinkampani ezinkulu ze-IT azilungiselelwanga ukuba isatifikethi sengcambu siphelelwa lixesha.
Kukho isisombululo esinye kuphela kwingxaki - ukuhlaziya. Abaphuhlisi bezixhobo ezihlakaniphile kufuneka babonelele ngendlela yokuhlaziya isoftware kunye nezatifikethi zeengcambu kwangaphambili. Ngakolunye uhlangothi, akukho nzuzo kubavelisi ukuqinisekisa ukusebenza kwezixhobo zabo emva kokuba ixesha lewaranti liphelile.
umthombo: www.habr.com