Iqela labaphandi abavela kwiiyunivesithi ezininzi eJamani liphuhlise uhlaselo olutsha lwe-MITM kwi-HTTPS enokukhupha iikuki zeseshoni kunye nezinye iinkcukacha ezibuthathaka, kunye nokwenza ikhowudi yeJavaScript engafanelekanga kumxholo wesinye isayithi. Uhlaselo lubizwa ngokuba yi-ALPACA kwaye lunokusetyenziswa kwiiseva ze-TLS eziphumeza iiprothokholi zomaleko wesicelo ezahlukeneyo (HTTPS, SFTP, SMTP, IMAP, POP3), kodwa sebenzisa izatifikethi zeTLS eziqhelekileyo.
Undoqo wohlaselo kukuba ukuba unolawulo kwisango lomnatha okanye indawo yokufikelela engenazingcingo, umhlaseli unokuhambisa i-traffic yewebhu kwenye i-port yenethiwekhi kwaye aququzelele ukusekwa konxibelelwano kunye ne-FTP okanye iseva yeposi exhasa ukubethelwa kwe-TLS kwaye isebenzisa Isatifikethi se-TLS esiqhelekileyo kunye nomncedisi we-HTTP , kwaye isikhangeli somsebenzisi siyakuthatha ukuba umdibaniso usekiwe ngomncedisi we-HTTP oceliweyo. Kuba inkqubo ye-TLS yeyomhlaba wonke kwaye ayibotshelelwanga kwiprothokholi yenqanaba lesicelo, ukusekwa koqhagamshelwano oluntsonkothileyo kuzo zonke iinkonzo kuyafana kwaye impazamo yokuthumela isicelo kwinkonzo engalunganga inokumiselwa kuphela emva kokuseka iseshoni efihliweyo ngelixa kusetyenzwa. imiyalelo yesicelo esithunyelweyo.
Ngokufanelekileyo, ukuba, umzekelo, uthumela kwakhona uxhulumaniso lomsebenzisi olubhekiswe kwi-HTTPS kwiseva yeposi esebenzisa isatifikethi ekwabelwana ngaso kunye nomncedisi we-HTTPS, uxhulumaniso lwe-TLS luya kusekwa ngempumelelo, kodwa umncedisi weposi akazukwazi ukuqhubekekisa ukuhanjiswa. Imiyalelo yeHTTP kwaye iya kubuyisela impendulo ngekhowudi yempazamo. Le mpendulo iya kuqwalaselwa ngumkhangeli zincwadi njengempendulo evela kwindawo eceliweyo, idluliselwe kumjelo wonxibelelwano olufihliweyo olusekwe ngokuchanekileyo.
Iinketho ezintathu zohlaselo ziyacetywa:
- "Layisha" ukufumana kwakhona iCookie enemilinganiselo yokuqinisekisa. Indlela iyasebenza ukuba iseva yeFTP egutyungelwe sisatifikethi seTLS ikuvumela ukuba ulayishe kwaye ufumane idatha yayo. Kulo luhlu lohlaselo, umhlaseli unokufezekisa ukugcinwa kweengxenye zesicelo se-HTTP sokuqala somsebenzisi, njengemixholo ye-Cookie header, umzekelo, ukuba umncedisi we-FTP utolika isicelo njengefayile yokugcina okanye ufake izicelo ezingenayo ngokupheleleyo. Ukuhlasela ngempumelelo, umhlaseli ke kufuneka akhuphe umxholo ogciniweyo. Uhlaselo lusebenza kwi-Proftpd, Microsoft IIS, vsftpd, filezilla kunye ne-serv-u.
- βKhuphelaβ ukulungiselela ukubhalwa kwe-cross-site scripting (XSS). Indlela ebonisa ukuba umhlaseli, ngenxa yobuchule bomntu ngamnye, unokubeka idatha kwinkonzo esebenzisa isatifikethi esiqhelekileyo se-TLS, esinokuthi sikhutshwe emva kwesicelo somsebenzisi. Uhlaselo lusebenza kwiiseva ze-FTP ezikhankanywe ngasentla, iiseva ze-IMAP kunye neeseva ze-POP3 (i-courier, i-cyrus, i-kerio-connect kunye ne-zimbra).
- "Reflection" ukusebenzisa iJavaScript kumxholo wenye indawo. Indlela isekelwe ekubuyiseleni inxalenye yesicelo somthengi, equlethe ikhowudi yeJavaScript ethunyelwe ngumhlaseli. Uhlaselo lusebenza kwiiseva ze-FTP ezikhankanywe ngasentla, i-cyrus, i-kerio-connect kunye neeseva ze-IMAP ze-zimbra, kunye ne-sendmail ye-SMTP iseva.
Ngokomzekelo, xa umsebenzisi evula iphepha elilawulwa ngumhlaseli, eli phepha linokuqalisa isicelo somthombo ovela kwindawo apho umsebenzisi ane-akhawunti esebenzayo (umzekelo, bank.com). Ngexesha lohlaselo lwe-MITM, esi sicelo sibhekiswe kwiwebhusayithi ye-bank.com sinokuthunyelwa kwiseva ye-imeyile esebenzisa isatifikethi se-TLS ekwabelwana ngaso ne-bank.com. Ekubeni umncedisi weposi engayiphelisi iseshoni emva kwempazamo yokuqala, iiheader zenkonzo kunye nemiyalelo efana ne "POST / HTTP/1.1" kunye no "Host:" iya kuqhutyelwa phambili njengemiyalelo engaziwayo (umncedisi weposi uya kubuyisela "500 umyalelo ongaziwayo" intloko nganye).
Umncedisi weposi akayiqondi iimpawu zeprotocol yeHTTP kwaye kuyo iiheader zenkonzo kunye nebhloko yedata yesicelo sePOST ziqhutywa ngendlela efanayo, ngoko ke kumzimba wesicelo sePOST ungakhankanya umgca ngomyalelo iseva yemeyile. Umzekelo, ungadlula: MAIL FROM: alert(1); apho iseva yemeyile izakubuyisela khona umyalezo wemposiso ye-501 alert(1); : idilesi engalunganga: isilumkiso(1); ayinakulandela
Le mpendulo iya kufunyanwa sisikhangeli somsebenzisi, esiza kuqhuba ikhowudi yeJavaScript kumxholo kungekhona kwiwebhusayithi evulekileyo yomhlaseli, kodwa kwiwebhusayithi yebank.com apho isicelo sithunyelwe khona, ekubeni impendulo ifike ngaphakathi kweseshoni yeTLS echanekileyo. , isatifikethi esiqinisekisile ukunyaniseka kwempendulo yebhanki.com.
Ukuskena kwenethiwekhi yehlabathi kubonise ukuba ngokubanzi, malunga ne-1.4 yezigidi zeeseva zewebhu zichaphazelekayo yingxaki, apho kunokwenzeka ukuba kuqhutywe uhlaselo ngokuxuba izicelo usebenzisa iiprotocol ezahlukeneyo. Ukwenzeka kohlaselo lokwenyani kumiselwe kwi-119 lamawaka eeseva zewebhu apho kwakukho iiseva ezikhaphayo ze-TLS ezisekelwe kwezinye iiprothokholi zesicelo.
Imizekelo yokuxhaphaza ilungiselelwe iiseva ze-ftp pureftpd, proftpd, microsoft-ftp, vsftpd, filezilla kunye ne-serv-u, i-IMAP kunye neeseva ze-POP3 i-dovecot, i-courier, utshintshiselwano, i-cyrus, i-kerio-Connect kunye ne-zimbra, iiseva ze-SMTP postfix, i-exim, i-sendmail. , ezinokuthunyelwa, mdaemon kunye ne opensmtpd. Abaphandi baye bafunda ukuba kunokwenzeka ukwenza uhlaselo kuphela ngokudibeneyo ne-FTP, i-SMTP, i-IMAP kunye neeseva ze-POP3, kodwa kunokwenzeka ukuba ingxaki inokuthi yenzeke kwezinye iiprothokholi zesicelo ezisebenzisa i-TLS.
Ukuvala uhlaselo, kucetywa ukuba kusetyenziswe i ALPN (uThethatho loNxibelelwano lweProtokholi yeSicelo) ukuthethana ngeseshoni yeTLS kuthathelwa ingqalelo inkqubo yesicelo kunye nolwandiso lwe-SNI (Igama lomncedisi) ukubophelela kwigama lomninimzi kwimeko yokusebenzisa. Izatifikethi ze-TLS eziquka amagama amaninzi ommandla. Kwicala lesicelo, kucetyiswa ukunciphisa umda kwinani leempazamo xa ulungisa imiyalelo, emva koko uxhulumaniso luphelisiwe. Inkqubo yokuphuhlisa amanyathelo okuthintela uhlaselo yaqala ngo-Oktobha wonyaka ophelileyo. Amanyathelo okhuseleko afanayo sele ethathiwe kwi-Nginx 1.21.0 (i-mail proxy), Vsftpd 3.0.4, Courier 5.1.0, Sendmail, FileZill, crypto/tls (Go) kunye ne-Internet Explorer.
umthombo: opennet.ru