Inkampani yaseMozilla malunga nokuqala kovavanyo kulwakhiwo lwasebusuku lweFirefox indlela entsha yokukhangela izatifikethi ezirhoxisiweyo - . I-CRlite ikuvumela ukuba uququzelele ukurhoxiswa kwesatifikethi esisebenzayo ngokuchasene nesiseko sedatha esibanjwe kwisixokelelwano somsebenzisi. Ukuphunyezwa kweCRLite yeMozilla phantsi kwelayisensi ye-MPL 2.0 yasimahla. Ikhowudi yokuvelisa i-database kunye namacandelo e-server abhalwe kuyo kwaye Hamba. Amalungu omthengi afakwe kwiFirefox ukuze afunde idatha esuka kuvimba ngolwimi lomhlwa.
Ukuqinisekiswa kwesatifikethi usebenzisa iinkonzo zangaphandle ngokusekelwe kwiprothokholi esasetyenziswayo (I-Online Certificate Status Protocol) idinga ufikelelo oluqinisekisiweyo lwenethiwekhi, lukhokelela ekulibazisekeni okukhulu ekuqhutyweni kwesicelo (i-350ms kwi-avareji) kwaye ineengxaki zokuqinisekisa ubumfihlo (iiseva ze-OCSP eziphendula izicelo zifumana ulwazi malunga neziqinisekiso ezithile, ezinokusetyenziswa ukugweba ukuba yintoni iisayithi umsebenzisi azivulayo). Kukwakho ukubakho kokukhangela kwendawo ngokuchasene noluhlu (Uluhlu lokurhoxiswa kweSatifikethi), kodwa ukungalungi kwale ndlela bukhulu kakhulu bedatha ekhutshelweyo - okwangoku isiseko sedatha yezatifikethi ezirhoxisiweyo sithatha malunga ne-300 MB kwaye ukukhula kwayo kuyaqhubeka.
Ukuvala izatifikethi ezithotyelwe kwaye zarhoxiswa ngabasemagunyeni bezatifikethi, iFirefox isebenzise uluhlu lwabamnyama oluphakathi ukusukela ngo-2015. ngokudibanisa nomnxeba kwinkonzo ukuchonga isenzo esinobubi esinokubakho. I-OneCRL, njenge kwiChrome, isebenza njengekhonkco eliphakathi elidibanisa uluhlu lweCRL olusuka kwabasemagunyeni bezatifikethi kwaye ibonelele ngenkonzo enye ye-OCSP ephakathi yokujonga izatifikethi ezirhoxisiweyo, ikwenza kube lula ukungathumeli izicelo ngokuthe ngqo kwabasemagunyeni bezatifikethi. Ngaphandle komsebenzi omninzi wokuphucula ukuthembeka kwenkonzo yoqinisekiso lwesatifikethi se-intanethi, idatha ye-telemetry ibonisa ukuba ngaphezu kwe-7% yezicelo ze-OCSP ziphelelwe lixesha (kwiminyaka embalwa edlulileyo eli nani laliyi-15%).
Ngokungagqibekanga, ukuba akunakwenzeka ukuqinisekisa nge-OCSP, isikhangeli sithatha isatifikethi sisemthethweni. Inkonzo inokungafumaneki ngenxa yeengxaki zenethiwekhi kunye nezithintelo kuthungelwano lwangaphakathi, okanye ivalwe ngabahlaseli - ukudlula isheke se-OCSP ngexesha lokuhlaselwa kwe-MITM, ukuvala nje ukufikelela kwinkonzo yokutshekisha. Ngokuyinxenye ukuthintela uhlaselo olunjalo, kuye kwaphunyezwa ubuchule , ekuvumela ukuba uphathe imposiso yofikelelo ye-OCSP okanye ukungafumaneki kwe-OCSP njengengxaki ngesatifikethi, kodwa oluphawu alukhethi kwaye lufuna ubhaliso olulodwa lwesatifikethi.
I-CRLIte ikuvumela ukuba udibanise ulwazi olupheleleyo malunga nazo zonke izatifikethi ezirhoxisiweyo kwisakhiwo esihlaziyiweyo ngokulula, kuphela i-1 MB ngobukhulu, eyenza kube nokwenzeka ukugcina isiseko sedatha seCRL esipheleleyo kwicala lomxhasi.
Umkhangeli zincwadi uya kukwazi ukuvumelanisa ikopi yayo yedatha malunga nezatifikethi ezirhoxisiweyo imihla ngemihla, kwaye le database iya kufumaneka phantsi kwayo nayiphi na imeko.
I-CRlite idibanisa ulwazi oluvela , irekhodi likawonke-wonke lazo zonke izatifikethi ezikhutshiweyo nezirhoxisiweyo, kunye neziphumo zezatifikethi zokuskena kwi-Intanethi (uluhlu olwahlukeneyo lweCRL lwabasemagunyeni bezatifikethi luyaqokelelwa kwaye ulwazi malunga nazo zonke izatifikethi ezaziwayo ziyadityaniswa). Idatha ipakishwe kusetyenziswa i-cascade , ulwakhiwo olunokwenzeka oluvumela ubhaqo olungeyonyani lwento engekhoyo, kodwa ingabandakanyi ukushiywa kwento ekhoyo (oko kukuthi, ngokunokwenzeka okuthile, ubuxoki obungeyonyani kwisatifikethi esichanekileyo, kodwa izatifikethi ezirhoxisiweyo ziqinisekisiwe ukuba zichongwe).
Ukuphelisa iipositi zobuxoki, i-CRlite iye yazisa amanqanaba okucoca ongezelelweyo okulungisa. Emva kokuvelisa ubume, zonke iirekhodi zemithombo ziyakhangelwa kwaye naziphi na iimpawu zobuxoki zichongiwe. Ngokusekelwe kwiziphumo zolu itsheki, isakhiwo esongezelelweyo senziwe, esichithwa kwisokuqala kwaye silungise iziphumo zobuxoki ezibangelwayo. Umsebenzi uphinda uphindwe kuze kube yilapho iimpawu zobuxoki ngexesha lokujonga ulawulo zipheliswe ngokupheleleyo. Ngokuqhelekileyo, ukudala i-7-10 yanele ukugubungela ngokupheleleyo yonke idatha. Ukusukela imeko yesiseko sedatha, ngenxa yongqamaniso lwamaxesha athile, ishiyeka kancinci emva kwemeko yangoku yeCRL, ukujonga izatifikethi ezitsha ezikhutshiweyo emva kohlaziyo lokugqibela lwesiseko sedata seCRLIte lwenziwa kusetyenziswa umthetho olandelwayo weOCSP, kubandakanywa ukusebenzisa (impendulo ye-OCSP eqinisekiswe ngugunyaziwe wesatifikethi ihanjiswa ngumncedisi osebenzela indawo xa uthethathethwano ngoqhagamshelwano lwe-TLS).
Ukusebenzisa izihlungi ze-Bloom, i-slice kaDisemba yolwazi oluvela kwi-WebPKI, egubungela i-100 yezigidi zezatifikethi ezisebenzayo kunye ne-750 yezatifikethi ezichithwayo, zakwazi ukupakishwa kwisakhiwo se-1.3 MB ngobukhulu. Inkqubo yokwenziwa kolwakhiwo inzima kakhulu, kodwa yenziwa kwiseva yeMozilla kwaye umsebenzisi unikwa uhlaziyo osele lulungile. Ngokomzekelo, kwifom ye-binary, idatha yomthombo esetyenziswa ngexesha lesizukulwana ifuna malunga ne-16 GB yememori xa igcinwe kwi-Redis DBMS, kwaye kwifom ye-hexadecimal, ukulahlwa kwazo zonke iinombolo ze-serial zesatifikethi kuthatha malunga ne-6.7 GB. Inkqubo yokudibanisa zonke izatifikethi ezirhoxisiweyo nezisebenzayo ithatha malunga nemizuzu engama-40, kwaye inkqubo yokuvelisa ulwakhiwo olupakishiweyo olusekelwe kwisihluzo seBloom ithatha enye imizuzu engama-20.
I-Mozilla okwangoku iqinisekisa ukuba i-database ye-CRlite ihlaziywa kane ngosuku (ayilulo lonke uhlaziyo olunikezelwa kubaxhasi). Ukuveliswa kohlaziyo lwe-delta akukaphunyezwa - ukusetyenziswa kwe-bsdiff4, esetyenziselwa ukudala ukuhlaziywa kwe-delta yokukhutshwa, ayiboneleli ngokufanelekileyo okwaneleyo kwe-CRLIte kunye nohlaziyo olukhulu ngokungenangqiqo. Ukuphelisa le ntlupheko, kucetywayo ukuphinda kusebenze ifomathi yesakhiwo sokugcina ukuphelisa ukwakhiwa kwakhona okungadingekile kunye nokususwa kweeleyile.
I-CRlite okwangoku isebenza kwiFirefox kwimo yokwenziwa kwaye isetyenziswa ngokunxuseneyo ne-OCSP ukuqokelela izibalo malunga nokusebenza okuchanekileyo. I-CRlite inokutshintshelwa kwimowudi yokuskena engundoqo, ukwenza oku, kufuneka usete iparameter security.pki.crlite_mode = 2 in about:config.
umthombo: opennet.ru