Phambilini izitifiketi beziphelelwa yisikhathi ngoba bekumele zivuselelwe mathupha. Abantu bavele bakhohlwa ukukwenza. Ngokufika kwe-Let Encrypt kanye nenqubo yokuvuselela okuzenzakalelayo, kubonakala sengathi inkinga kufanele ixazululwe. Kodwa muva nje ikhombisa ukuthi, eqinisweni, isabalulekile. Ngeshwa, izitifiketi ziyaqhubeka nokuphelelwa yisikhathi.
Uma kwenzeka uphuthelwe indaba, phakathi kwamabili ngoMeyi 4, 2019, cishe zonke izandiso zeFirefox zayeka ukusebenza kungazelelwe.
Njengoba kwenzeka, ukwehluleka okukhulu kwenzeka ngenxa yokuthi iMozilla , eyayisetshenziselwa ukusayina izandiso. Ngakho-ke, amakwe ngokuthi βayilungileβ futhi awazange aqinisekiswe (). Ezinkundleni, njengesixazululo, kunconyiwe ukukhubaza ukuqinisekiswa kwesiginesha yesandiso mayelana: i-config noma ukushintsha iwashi lesistimu.
I-Mozilla yakhipha ngokushesha isichibi seFirefox 66.0.4, esixazulula inkinga ngesitifiketi esingavumelekile, futhi zonke izandiso zibuyela kokujwayelekile. Abathuthukisi batusa ukuyifaka futhi awekho ama-workaround okudlula ukuqinisekiswa kwesiginesha ngoba angase angqubuzane nesichibi.
Kodwa-ke, le ndaba iphinda ikhombise ukuthi ukuphelelwa yisikhathi kwesitifiketi kusewudaba olucindezelayo namuhla.
Mayelana nalokhu, kuyathakazelisa ukubheka indlela yasekuqaleni ukuthi abathuthukisi bephrothokholi bawusingatha kanjani lo msebenzi . Isixazululo sabo singahlukaniswa sibe izingxenye ezimbili. Okokuqala, lezi izitifiketi zesikhashana. Okwesibili, ukuxwayisa abasebenzisi mayelana nokuphelelwa yisikhathi kwalabo besikhathi eside.
I-DNSCrypt
I-DNSCrypt iyiphrothokholi yokubethela kwethrafikhi ye-DNS. Ivikela ukuxhumana kwe-DNS ekungeneni kanye ne-MiTM, futhi ikuvumela ukuthi udlule ekuvimbeni ezingeni lombuzo we-DNS.
Iphrothokholi igoqa ithrafikhi ye-DNS phakathi kweklayenti neseva ekwakhiweni kwe-cryptographic, esebenza ngephrothokholi yezokuthutha ye-UDP ne-TCP. Ukuze uyisebenzise, ββkokubili iklayenti nesixazululi se-DNS kufanele sisekele i-DNSCrypt. Isibonelo, kusukela ngoMashi 2016, inikwe amandla kumaseva ayo e-DNS nakusiphequluli se-Yandex. Abanye abahlinzeki abaningana nabo bamemezele ukwesekwa, okuhlanganisa i-Google ne-Cloudflare. Ngeshwa, azikho eziningi zazo (amaseva e-152 e-DNS yomphakathi abhalwe kuwebhusayithi esemthethweni). Kodwa uhlelo ingafakwa ngesandla kumakhasimende e-Linux, Windows kanye ne-MacOS. Kukhona futhi .
Isebenza kanjani i-DNSCrypt? Ngamafuphi, iklayenti lithatha ukhiye osesidlangalaleni womhlinzeki okhethiwe futhi liwusebenzisele ukuqinisekisa izitifiketi zayo. Okhiye basesidlangalaleni besikhathi esifushane beseshini kanye nesihlonzi se-cipher suite sezivele zikhona. Amaklayenti akhuthazwa ukuthi enze ukhiye omusha wesicelo ngasinye, futhi amaseva akhuthazwa ukuthi ashintshe okhiye njalo ngamahora angama-24. Lapho kushintshwa okhiye, i-algorithm ye-X25519 isetshenziswa, ukusayina - i-EdDSA, ukubethela kwebhulokhi - XSalsa20-Poly1305 noma i-XChaCha20-Poly1305.
Omunye wabathuthukisi bephrothokholi uFrank Denis lokho kushintshwa okuzenzakalelayo njalo emahoreni angama-24 kuxazulule inkinga yezitifiketi eziphelelwe yisikhathi. Empeleni, iklayenti yereferensi ye-dnscrypt-proxy yamukela izitifiketi nganoma yisiphi isikhathi sokuqinisekisa, kodwa ikhipha isexwayiso "Isikhathi sokhiye we-dnscrypt-proxy sale seva side kakhulu" uma sisebenza amahora angaphezu kwangu-24. Ngesikhathi esifanayo, isithombe se-Docker sakhululwa, lapho ukuguqulwa okusheshayo kokhiye (kanye nezitifiketi) kwaqaliswa.
Okokuqala, iwusizo kakhulu ekuvikelekeni: uma iseva isengozini noma ukhiye uputshuziwe, ithrafikhi yayizolo ayikwazi ukususwa ukubethela. Ukhiye usuvele ushintshile. Lokhu kuzodala inkinga ekusetshenzisweni koMthetho we-Yarovaya, ophoqa abahlinzeki ukuthi bagcine yonke ithrafikhi, okuhlanganisa nethrafikhi ebethelwe. Okushiwo wukuthi ingasuswa ukubethela kamuva uma kunesidingo ngokucela ukhiye kusayithi. Kodwa kulokhu, isayithi alikwazi ukukunikeza, ngoba lisebenzisa okhiye besikhathi esifushane, lisusa amadala.
Kodwa okubaluleke kakhulu, uDenis uyabhala, okhiye besikhashana baphoqa amaseva ukuthi amise okuzenzakalelayo kusukela ngosuku lokuqala. Uma iseva ixhumeka kunethiwekhi futhi izikripthi zokushintsha ukhiye zingalungiselelwe noma zingasebenzi, lokhu kuzotholwa ngokushesha.
Lapho i-automation ishintsha okhiye njalo ngemva kweminyaka embalwa, ngeke kuthenjelwe kuyo, futhi abantu bangakhohlwa ngokuphelelwa yisikhathi kwesitifiketi. Uma ushintsha okhiye nsuku zonke, lokhu kuzotholwa ngokushesha.
Ngesikhathi esifanayo, uma i-automation ihlelwe ngokujwayelekile, akunandaba ukuthi okhiye bashintshwa kaningi kangakanani: njalo ngonyaka, njalo ngekota noma kathathu ngosuku. Uma konke kusebenza amahora angaphezu kwama-24, kuzosebenza unomphela, kubhala uFrank Denis. Ngokusho kwakhe, izincomo zokuzungezisa ukhiye wansuku zonke enguqulweni yesibili yephrothokholi, kanye nesithombe se-Docker esenziwe ngomumo esisisebenzisayo, sinciphise ngempumelelo inani lamaseva anezitifiketi eziphelelwe yisikhathi, kuyilapho ngasikhathi sinye kuthuthukisa ukuphepha.
Nokho, abanye abahlinzeki basanqume, ngenxa yezizathu ezithile zobuchwepheshe, ukusetha isikhathi sokufaneleka kwesitifiketi sibe ngaphezu kwamahora angu-24. Le nkinga yaxazululwa kakhulu ngemigqa embalwa yekhodi ku-dnscrypt-proxy: abasebenzisi bathola isexwayiso solwazi ezinsukwini ezingu-30 ngaphambi kokuphelelwa yisikhathi kwesitifiketi, omunye umlayezo onezinga eliphezulu lokuqina kwezinsuku ezingu-7 ngaphambi kokuphelelwa yisikhathi, kanye nomlayezo obalulekile uma isitifiketi sinanoma yikuphi okusele. ukusebenza ngaphansi kwamahora angama-24. Lokhu kusebenza kuphela ezitifiketini ekuqaleni ezinesikhathi eside sokuqinisekisa.
Le milayezo inika abasebenzisi ithuba lokwazisa opharetha be-DNS ngokuphelelwa yisikhathi kwesitifiketi ngaphambi kokuthi kuphuze kakhulu.
Mhlawumbe uma bonke abasebenzisi beFirefox bethola umlayezo onjalo, khona-ke othile ubengazisa abathuthukisi futhi ngeke bavumele isitifiketi ukuthi siphelelwe yisikhathi. βAngikhumbuli iseva eyodwa ye-DNSCrypt ohlwini lwamaseva omphakathi e-DNS esiphelelwe yisikhathi isitifiketi sayo eminyakeni emibili noma emithathu edlule,β kubhala uFrank Denis. Kunoma ikuphi, mhlawumbe kungcono ukuxwayisa abasebenzisi kuqala kunokukhubaza izandiso ngaphandle kwesixwayiso.
Source: www.habr.com