I-Mozilla ibhengeze ukubandakanywa kwenkxaso kubasebenzisi besebe elizinzileyo leFirefox ye-ECH (uMxumi ofihliweyo Hello) indlela, eqhubeleka nophuhliso lweteknoloji ye-ESNI (Encrypted Server Name Indication) kwaye yenzelwe ukufihla ulwazi malunga neeparameters zeeseshoni zeTLS. , njengegama lesizinda eliceliweyo. Ikhowudi yokusebenza ne-ECH yongezwa ekuqaleni kwiFirefox 85, kodwa yacinywa ngokungagqibekanga. I-Chrome ngokuthe ngcembe yaqala ukubandakanya inkxaso ye-ECH iqala ngokukhutshwa kweChrome 115.
Ekubeni ukongeza ekunxibelelaneni ne umncedisi Ulwazi lwedomeyini oluceliweyo luvuzwa nge-DNS. Ukuze ufumane ukhuseleko olupheleleyo, ukongeza kwi-ECH, kufuneka usebenzise i-DNS ngaphezulu kwe-HTTPS okanye i-DNS ngaphezulu kwe-TLS ukuze ubhale ngemfihlo ithrafikhi ye-DNS. I-Firefox ayizukusebenzisa i-ECH ngaphandle kokuvula i-DNS ngaphezulu kwe-HTTPS kwizicwangciso. Ungajonga inkxaso ye-ECH kwisikhangeli sakho kweli phepha.
Enye yezinto ezenze inkxaso ye-ECH ngokungagqibekanga kwiFirefox yayikukufakwa kweCloudflare yenkxaso ye-ECH kuthungelwano lokuhanjiswa komxholo kwiintsuku ezimbalwa ezidlulileyo. Kwicala elisebenzayo, ekubeni idatha malunga nemikhosi eceliwe xa usebenzisa i-ECH ifihliwe kuhlalutyo, ukuhluza kunye nokuvala iisayithi ezingafunekiyo usebenzisa i-Cloudflare CDN ngoku kuya kufuna ukuvala yonke inethiwekhi ye-Cloudflare, ukuvala zonke izicelo ezivela kwi-ECH, okanye ukulungelelanisa i-HTTPS yokuqhawula usebenzisa izatifikethi zeengcambu zobuxoki. kwinkqubo yomsebenzisi.
Ekuqaleni, ukulungelelanisa umsebenzi kwidilesi enye ye-IP yeendawo ezininzi ze-HTTPS, i-TLS yokwandisa i-SNI isetyenzisiwe, apho igama lomninimzi oceliwe libonakaliswe kumyalezo we-ClientHello othunyelwe ngaphambi kokuseka umjelo wonxibelelwano ofihliweyo. Eli nqaku lenze ukuba kukwazeke ukusasazwa kwezicelo kwiinginginya zenyani kwinqanaba lokuqala lokuqhubekekiswa koqhagamshelo, kodwa kwakhona yenze ukuba kwenzeke kwicala le-ISP ukuhluza ngokukhetha i-HTTPS yetrafikhi kunye nokuhlalutya ukuba zeziphi iziza umsebenzisi azivulayo, ezingazange zivumele ukufikelela kwimfihlo epheleleyo xa usebenzisa. HTTPS.
Ukusombulula le ngxaki kunye nokuthintela ukuvuza kolwazi malunga nesiza esiceliweyo, ulwandiso lwe-ESNI lwacetywa kamva olusebenzisa ufihlo lwedatha kunye negama lenginginya. Ngethuba lokuphunyezwa kwe-ESNI, kwatyhilwa ukuba indlela ecetywayo ayifaki yonke imithombo enokubakho yokuvuza kwedatha ye-host kunye nokusetyenziswa kwayo akwanele ukuqinisekisa ubumfihlo obupheleleyo beeseshoni ze-HTTPS. Ngokukodwa, xa uphinda uqalise iseshoni esekwe ngaphambili, igama lesizinda kwisicatshulwa esicacileyo saqhubeka sicaciswa phakathi kweeparamitha ze-PSK (iSitshixo esabiwe kwangaphambili) i-TLS extension. Ukongezelela, iinzame zokuphumeza i-ESNI zichonge ukuhambelana kunye nemiba yokulinganisa eye yathintela ukwamkelwa ngokubanzi kwe-ESNI.
Ukuthathela ingqalelo iintsilelo ezichongiweyo ze-ESNI, inkqubo entsha ye-ECH yendalo yonke yaphuhliswa evumela ukubethelwa kweeparamitha zazo naziphi na izandiso zeTLS. Ngobuchwephesha, umahluko omkhulu phakathi kwe-ECH kunye ne-ESNI kukuba endaweni yemihlaba nganye, umyalezo wonke we-ClientHello ufihliwe kanye. I-ECH ibandakanya ukwahlula i-ClientHello kwimiyalezo emibini eyahlukeneyo-umyalezo ofihliweyo we-ClientHelloInner (SNI Inner) kunye nomyalezo ongafihlwayo ongaphantsi kwe-ClientHelloOuter (SNI Outer). I-SNI Outer engafihlwanga iphethe idatha engeyoyabucala njengenguqulelo ye-TLS kunye noluhlu lwee-ciphers ezisetyenzisiweyo, kunye negama lesizinda eliqhelekileyo elingadibaniyo nelona gama lommandla oceliweyo. Umzekelo, kubo bonke abathengi be-Cloudflare, i-SNI yangaphandle engafihlwanga ichaza umamkeli oqhelekileyo "cloudflare-ech.com", kodwa elona gama lomamkeli oluceliweyo ligqithiselwa kwi-encrypted SNI Inner kwaye ayifumaneki kuhlalutyo.
I-ECH ikwasebenzisa inkqubo eyahlukileyo yokusasazwa kwezitshixo zokubethela: ulwazi lwesitshixo sikawonke-wonke ludluliselwa kwiirekhodi ze-HTTPSVC DNS endaweni yeerekhodi ze-TXT. Ukubethela okuqinisekisiweyo okusekwe kwindlela ye-HPKE (Hybrid Public Key Encryption) kusetyenziswa ukufumana nokubethela isitshixo. I-ECH ikwaxhasa ukudluliselwa kwesitshixo okukhuselekileyo kwiseva, okunokusetyenziswa xa kujikeleziswa isitshixo. umncedisi kunye nokusombulula iingxaki zokufumana izitshixo eziphelelwe lixesha kwi-DNS cache.
umthombo: opennet.ru
