NgoSeptemba 30 ngo-17:01 ixesha laseMoscow, isatifikethi sengcambu ye-IdenTrust (DST Root CA X3), esasetyenziselwa ukusayina ingcambu yesatifikethi se-Let Encrypter certification authority (ISRG Root X1), elawulwa luluntu kwaye inikeza izatifikethi simahla kumntu wonke, ziphelelwa lixesha. Utyikityo olunqamlezayo luye lwaqinisekisa ukuba iziqinisekiso ezithi Masi Fihla zithenjiwe kuluhlu olubanzi lwezixhobo, iinkqubo zokusebenza, kunye nebhrawuza ngelixa isiqinisekiso sengcambu ethi Masi Fihlele esakhe sidityaniswe kwiivenkile zezatifikethi zengcambu.
Ekuqaleni kwakucwangcisiwe ukuba emva kokurhoxiswa kwe-DST Root CA X3, i-Let's Encrypt project yayiza kutshintshela ekuveliseni imisayino isebenzisa kuphela isiqinisekiso sayo esiyingcambu, kodwa inyathelo elinjalo liya kukhokelela ekuphulukaneni nokuhambelana nenani elikhulu leenkqubo ezindala ezingazange zisebenze. yongeza iMasithi Sifihle isatifikethi sengcambu kwiindawo zabo zokugcina. Ngokukodwa, malunga ne-30% yezixhobo ze-Android ezisetyenziswayo azinayo idatha kwisatifikethi sengcambu ye-Let Encrypt, inkxaso evele yaqala kuphela ngeqonga le-Android 7.1.1, elikhutshwe ekupheleni kuka-2016.
Masibhale i-Encrypt ayizange icwangcise ukungena kwisivumelwano esitsha sokutyikitya, njengoko oku kubeka uxanduva olongezelelweyo kumaqela kwisivumelwano, kubahlutha ukuzimela kunye nokubopha izandla zabo ngokuhambelana nazo zonke iinkqubo kunye nemithetho yomnye ugunyaziwe wesiqinisekiso. Kodwa ngenxa yeengxaki ezinokubakho kwinani elikhulu lezixhobo ze-Android, isicwangciso sahlaziywa. Isivumelwano esitsha saqukunjelwa ngogunyaziwe woqinisekiso lwe-IdenTrust, ngaphakathi kwesakhelo apho esinye isatifikethi esisayinwe ngokunqamlezileyo Masibethele esiphakathi senziwe. I-cross-signature iya kusebenza iminyaka emithathu kwaye iya kugcina inkxaso yezixhobo ze-Android eziqala nge-version 2.3.6.
Nangona kunjalo, isatifikethi esitsha esiphakathi asiquki ezinye iinkqubo ezininzi zelifa. Umzekelo, xa isatifikethi se-DST Root CA X3 sithotywa nge-30 kaSeptemba, izatifikethi ze-Let Encrypted azisayi kuphinda zamkelwe kwi-firmware engaxhaswanga kunye neenkqubo zokusebenza ezifuna ukongeza ngesandla isiqinisekiso se-ISRG Root X1 kwivenkile yesatifikethi esiyingcambu ukuze siqinisekise ukuthembela kwi-Let's Fihla izatifikethi. . Iingxaki ziya kuzibonakalisa ku:
- I-OpenSSL ukuya kuthi ga kwi-1.0.2 yesebe equkiweyo (ukugcinwa kwesebe 1.0.2 yayekwa ngoDisemba 2019);
- NSS < 3.26;
- Java 8 < 8u141, Java 7 < 7u151;
- Windows < XP SP3;
- macOS <10.12.1;
- iOS <10 (iPhone < 5);
- Android < 2.3.6;
- Mozilla Firefox < 50;
- Ubuntu <16.04;
- IDebian <8.
Kwimeko ye-OpenSSL 1.0.2, ingxaki ibangelwa sisiphene esithintela izatifikethi ezisayiniwe ngokunqamlezileyo ekubeni ziqwalaselwe ngokuchanekileyo ukuba esinye sesatifikethi esiyingcambu esisetyenziselwe ukusayina siphelelwa, nokuba amanye amatyathanga asemthethweni ahlala ethembekile. Le ngxaki iqale ukuvela kunyaka ophelileyo emva kokuba isiqinisekiso se-AddTrust esasisetyenziselwa ukutyikitya izatifikethi ezivela kugunyaziwe woqinisekiso lweSectigo (Comodo) saphelelwa lixesha. Undoqo wengxaki kukuba i-OpenSSL yahlula isatifikethi njengekhonkco lomgca, ngelixa ngokwe-RFC 4158, isatifikethi sinokumela igrafu ejikelezayo esasazwayo kunye nee-ankile ezininzi zokuthembela ekufuneka zithathelwe ingqalelo.
Abasebenzisi bosasazo oludala olusekwe kwi-OpenSSL 1.0.2 banikwa iindlela ezintathu zokulungisa ingxaki:
- Isuswe ngesandla i-IdenTrust DST Root CA X3 ingcambu yesatifikethi kwaye yafakela i-stand-alone (engasayinwanga ngokunqamlezayo) ISRG Root X1 isiqinisekiso sengcambu.
- Xa uqhuba i-openssl qinisekisa kunye nemiyalelo ye-client, ungakhankanya ukhetho "--trusted_first".
- Sebenzisa kumncedisi isatifikethi esiqinisekiswe ngengcambu yesatifikethi esahlukileyo SRG Root X1, esingenawo utyikityo olunqamlezayo. Le ndlela iya kukhokelela ekulahlekelweni kokuhambelana nabathengi abadala be-Android.
Ukongeza, sinokuqaphela ukuba iprojekthi ye-Let Encryption yoyisile inqanaba lezatifikethi eziveliswe kwiibhiliyoni ezimbini. Isiganeko esiyibhiliyoni enye safikelelwa ngoFebruwari kulo nyaka uphelileyo. 2.2-2.4 yezigidi zezatifikethi ezitsha ziveliswa yonke imihla. Inani lezatifikethi ezisebenzayo li-192 yezigidi (isiqinisekiso sisebenza kwiinyanga ezintathu) kwaye sigubungela malunga ne-260 yezigidi zemimandla (i-195 yezigidi zemimandla yayigutyungelwe kunyaka odlulileyo, i-150 yezigidi kwiminyaka emibini edlulileyo, i-60 yezigidi kwiminyaka emithathu edlulileyo). Ngokwezibalo ezivela kwinkonzo yeFirefox Telemetry, isabelo sehlabathi sezicelo zephepha nge-HTTPS yi-82% (unyaka odlulileyo - 81%, kwiminyaka emibini edlulileyo - 77%, kwiminyaka emithathu edlulileyo - 69%, iminyaka emine edlulileyo - 58%).
umthombo: opennet.ru