Iketango lokwethenjwa. I-CC BY-SA 4.0
Ukuhlolwa kwethrafikhi ye-SSL (ukukhishwa kwemfihlo kwe-SSL/TLS, ukuhlaziywa kwe-SSL noma i-DPI) kuba isihloko esishisayo sengxoxo emkhakheni wezinkampani. Umqondo wokususa ukubethela kwethrafikhi ubonakala uphikisana nomqondo wokubethela. Kodwa-ke, iqiniso liyiqiniso: izinkampani eziningi zisebenzisa ubuchwepheshe be-DPI, zichaza lokhu ngesidingo sokuhlola okuqukethwe kwe-malware, ukuvuza kwedatha, njll.
Nokho, uma silamukela iqiniso lokuthi ubuchwepheshe obunjalo budinga ukusetshenziswa, kufanele okungenani sicabangele izindlela zokukwenza ngendlela ephephile nephethwe kahle kakhulu ngangokunokwenzeka. Okungenani unganciki kulezo zitifiketi, isibonelo, onikezwa umhlinzeki wesistimu ye-DPI.
Kunesici esisodwa sokusebenza okungeyena wonke umuntu owaziyo ngaso. Eqinisweni, abantu abaningi bayamangala ngempela lapho bezwa ngakho. Lesi isiphathimandla sezitifiketi esizimele (CA). Ikhiqiza izitifiketi zokususa ukubhala nokubhala kabusha ithrafikhi.
Esikhundleni sokuthembela kuzitifiketi ezizisayinele noma izitifiketi ezivela kumadivayisi e-DPI, ungasebenzisa i-CA ezinikele evela kwabasemagunyeni bezitifiketi zenkampani yangaphandle njenge-GlobalSign. Kodwa okokuqala, ake senze umbono omncane wenkinga ngokwayo.
Kuyini ukuhlolwa kwe-SSL futhi kungani isetshenziswa?
Ayanda amawebhusayithi asesidlangalaleni athuthela ku-HTTPS. Ngokwesibonelo, ngokusho , ekuqaleni kukaSepthemba 2019, isabelo sethrafikhi ebethelwe eRussia sifinyelele ku-83%.
Ngeshwa, ukubethela kwethrafikhi kuya ngokuya kusetshenziswa abahlaseli, ikakhulukazi njengoba i-Let Encrypt sisabalalisa izinkulungwane zezitifiketi zamahhala ze-SSL ngendlela ezenzakalelayo. Ngakho-ke, i-HTTPS isetshenziswa yonke indawo - futhi i-padlock kubha yekheli lesiphequluli iyekile ukusebenza njengenkomba ethembekile yokuphepha.
Abakhiqizi bezixazululo ze-DPI bathuthukisa imikhiqizo yabo kulezi zikhundla. Ashumekwe phakathi kwabasebenzisi bokugcina (okungukuthi, abasebenzi bakho abaphequlula iwebhu) kanye ne-inthanethi, ehlunga ithrafikhi enonya. Kunenqwaba yemikhiqizo enjalo emakethe namuhla, kodwa izinqubo ziyafana. Ithrafikhi ye-HTTPS idlula kudivayisi yokuhlola lapho isuswe ukubethela futhi ihlolelwe uhlelo olungayilungele ikhompuyutha.
Uma ukuqinisekiswa sekuqediwe, idivayisi idala iseshini entsha ye-SSL neklayenti lokugcina ukuze lisuse ukubethela futhi libethele kabusha okuqukethwe.
Isebenza kanjani inqubo yokususa ukubethela/yokubethela kabusha
Ukuze umshini wokuhlola we-SSL unqamule futhi ubethele kabusha amaphakethe ngaphambi kokuwathumela kubasebenzisi bokugcina, kufanele ukwazi ukukhipha izitifiketi ze-SSL ngokushesha. Lokhu kusho ukuthi kufanele ibe nesitifiketi se-CA esifakiwe.
Kubalulekile enkampanini (noma ubani ophakathi nendawo) ukuthi lezi zitifiketi ze-SSL zithenjwa iziphequluli (okungukuthi, ungaqalisi imilayezo eyisixwayiso esabekayo efana nale engezansi). Ngakho-ke i-CA chain (noma i-hierarchy) kufanele ibe sesitolo sokuthembana sesiphequluli. Ngenxa yokuthi lezi zitifiketi azikhishwa kuziphathimandla zezitifiketi ezethenjwa esidlangalaleni, kufanele usabalalise mathupha isigaba se-CA kuwo wonke amaklayenti.
Umlayezo wesexwayiso wesitifiketi esizisayine wena ku-Chrome. Umthombo:
Kumakhompyutha e-Windows, ungasebenzisa I-Active Directory kanye ne-Group Policies, kodwa kumadivaysi eselula inqubo iyinkimbinkimbi kakhulu.
Isimo siba nzima nakakhulu uma udinga ukusekela ezinye izitifiketi zezimpande endaweni yebhizinisi, isibonelo, kusukela ku-Microsoft, noma ngokusekelwe ku-OpenSSL. Kanye nokuvikelwa nokuphathwa kokhiye abayimfihlo ukuze noma yibaphi okhiye bangaphelelwa yisikhathi ngokungalindelekile.
Inketho engcono kakhulu: isitifiketi esiyimfihlo, esizinikezele sempande esivela ku-CA yenkampani yangaphandle
Uma ukuphatha izimpande eziningi noma izitifiketi zokuzisayinda kungakhangi, kukhona enye inketho: ukuthembela ku-CA yenkampani yangaphandle. Kulokhu, izitifiketi zikhishwa kusuka okuyimfihlo i-CA exhunywe ochungechungeni lokuthembela ku-CA ezinikele, eyimfihlo edalelwe inkampani ngokukhethekile.
Izakhiwo ezenziwe lula zezitifiketi zempande yeklayenti elizinikele
Lokhu kusetha kuqeda ezinye zezinkinga ezishiwo ekuqaleni: okungenani kunciphisa inani lezimpande ezidinga ukuphathwa. Lapha ungasebenzisa igunya lempande eyodwa nje eyimfihlo kuzo zonke izidingo zangaphakathi ze-PKI, nganoma iyiphi inombolo yama-CA amaphakathi. Isibonelo, umdwebo ongenhla ubonisa ukulandelana kwamazinga amaningi lapho enye ye-CAs emaphakathi isetshenziselwa ukuqinisekiswa/ukukhipha ikhodi ye-SSL kanti enye isetshenziselwa amakhompyutha angaphakathi (amakhompyutha aphathekayo, amaseva, amadeskithophu, njll.).
Kulo mklamo, asikho isidingo sokusingatha i-CA kuwo wonke amaklayenti ngoba i-CA yezinga eliphezulu ibanjwe yi-GlobalSign, exazulula izinkinga zokuvikela ukhiye oyimfihlo kanye nezinkinga zokuphelelwa yisikhathi.
Enye inzuzo yale ndlela yikhono lokuhoxisa isiphathimandla sokuhlola se-SSL nganoma yisiphi isizathu. Kunalokho, entsha imane idalwe, eboshelwe empandeni yakho yangasese yasekuqaleni, futhi ungayisebenzisa ngokushesha.
Naphezu kwayo yonke impikiswano, amabhizinisi aya ngokuya esebenzisa ukuhlolwa kwethrafikhi ye-SSL njengengxenye yengqalasizinda yawo yangaphakathi noma yangasese ye-PKI. Okunye ukusetshenziswa kwe-PKI eyimfihlo kufaka phakathi ukukhipha izitifiketi zedivayisi noma ukuqinisekiswa komsebenzisi, i-SSL yamaseva angaphakathi, nokulungiselelwa okuhlukahlukene okungavunyelwe kuzitifiketi ezithenjwayo zomphakathi njengoba kudingwa yi-CA/Browser Forum.
Iziphequluli ziyalwa
Kufanele kuqashelwe ukuthi abathuthukisi beziphequluli bazama ukulwa nale threndi futhi bavikele abasebenzisi bokugcina ku-MiTM. Isibonelo, ezinsukwini ezimbalwa ezedlule i-Mozilla Nika amandla iphrothokholi ye-DoH (DNS-over-HTTPS) ngokuzenzakalela kwenye yezinguqulo zesiphequluli ezilandelayo kuFirefox. Iphrothokholi ye-DoH ifihla imibuzo ye-DNS ohlelweni lwe-DPI, okwenza ukuhlolwa kwe-SSL kube nzima.
Mayelana nezinhlelo ezifanayo Septhemba 10, 2019 I-Google yesiphequluli se-Chrome.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Ingabe ucabanga ukuthi inkampani inelungelo lokuhlola ithrafikhi ye-SSL yabasebenzi bayo?
-
Yebo, ngemvume yabo
-
Cha, ukucela leyo mvume akukho emthethweni futhi/noma akulungile
Bangu-122 abasebenzisi abavotile. Abasebenzisi abangu-15 bagobile.
Source: www.habr.com