Ukuze isiphequluli sigunyaze iwebhusayithi, iziveza ngochungechunge lwesitifiketi esivumelekile. Iketango elijwayelekile liboniswa ngenhla, futhi kungase kube nesitifiketi esimaphakathi esingaphezu kwesisodwa. Inombolo encane yezitifiketi echungechungeni oluvumelekile zintathu.
Isitifiketi sempande siyinhliziyo yesiphathimandla sesitifiketi. Yakhelwe ngokoqobo ku-OS yakho noma kusiphequluli, ikhona ngokoqobo kudivayisi yakho. Ayikwazi ukuguqulwa ukusuka ohlangothini lweseva. Kudingeka isibuyekezo esiphoqelelwe se-OS noma i-firmware kudivayisi.
Uchwepheshe Wezokuphepha uScott Helme , ukuthi izinkinga eziyinhloko zizovela ngegunya lesitifiketi le-Let Encrypt, ngoba namuhla yi-CA ethandwa kakhulu ku-intanethi, futhi isitifiketi sayo sempande sizohamba kabi maduzane. Ukushintsha impande ethi Masibethele .
Izitifiketi zokugcina nezimaphakathi zesiphathimandla sezitifiketi (CA) zilethwa kuklayenti zisuka kuseva, futhi isitifiketi sempande siphuma kuklayenti. isivele, ngakho-ke ngaleli qoqo lezitifiketi umuntu angakha uchungechunge futhi aqinisekise iwebhusayithi.
Inkinga ukuthi isitifiketi ngasinye sinedethi yokuphelelwa yisikhathi, ngemva kwalokho sidinga ukushintshwa. Isibonelo, kusukela ngomhlaka-1 Septhemba 2020, bahlela ukwethula umkhawulo esikhathini sokuqinisekisa sezitifiketi ze-TLS zeseva kusiphequluli se-Safari. .
Lokhu kusho ukuthi sonke kuzodingeka simiselele izitifiketi zethu zeseva okungenani njalo ezinyangeni eziyi-12. Lo mkhawulo usebenza kuphela ezitifiketini zeseva; it hhayi kusebenza kuzitifiketi ze-CA zezimpande.
Izitifiketi ze-CA zibuswa isethi ehlukile yemithetho futhi ngenxa yalokho zinemikhawulo ehlukile yokuqinisekisa. Kuvame kakhulu ukuthola izitifiketi eziphakathi nesikhathi sokuqinisekisa seminyaka engu-5 kanye nezitifiketi zezimpande ezinempilo yesevisi yeminyaka engu-25!
Ngokuvamile azikho izinkinga ngezitifiketi eziphakathi nendawo, ngoba zinikezwa iklayenti yiseva, yona ngokwayo eshintsha isitifiketi sayo kaningi, ngakho ivele imiselele esimaphakathi ohlelweni. Kulula kakhulu ukuyifaka esikhundleni kanye nesitifiketi seseva, ngokungafani nesitifiketi se-CA esiyimpande.
Njengoba sesishilo, impande ye-CA yakhelwe ngqo kudivayisi yeklayenti uqobo, ibe yi-OS, isiphequluli noma enye isoftware. Ukushintsha impande ye-CA kungaphezu kwamandla ewebhusayithi. Lokhu kudinga isibuyekezo kuklayenti, kungaba i-OS noma isibuyekezo sesofthiwe.
Amanye ama-CA ezimpande abe khona isikhathi eside kakhulu, sikhuluma ngeminyaka engama-20-25. Ngokushesha ezinye zezimpande ze-CA ezindala zizosondela ekupheleni kwempilo yazo yemvelo, isikhathi sabo sesiphelile. Kwabaningi bethu lokhu ngeke kube yinkinga nhlobo ngoba ama-CA asungule izitifiketi ezintsha zezimpande futhi sezisakazwe emhlabeni wonke ku-OS nezibuyekezo zesiphequluli iminyaka eminingi. Kodwa uma othile engazange abuyekeze i-OS yakhe noma isiphequluli isikhathi eside kakhulu, uhlobo lwenkinga.
Lesi simo senzeka ngoMeyi 30, 2020 ngo-10:48:38 GMT. Lesi isikhathi esiqondile lapho kusuka kwabaphathi bezitifiketi ze-Comodo (Sectigo).
Yayisetshenziselwa ukusayina okuphambene ukuze kuqinisekiswe ukuhambisana namadivayisi wefa angenaso isitifiketi sempande esisha se-USERTrust esitolo sabo.
Ngeshwa, izinkinga azivelanga ezipheqululini zefa kuphela, kodwa futhi nakumakhasimende angewona awesiphequluli asekelwe ku-OpenSSL 1.0.x, LibreSSL kanye . Ngokwesibonelo, emabhokisini set-top , isevisi , e-Fortinet, Charify izicelo, ku-.NET Core 2.0 yesikhulumi se-Linux kanye .
Bekucatshangwa ukuthi inkinga izothinta kuphela amasistimu wefa (Android 2.3, Windows XP, Mac OS X 10.11, iOS 9, njll.), njengoba iziphequluli zesimanje zingasebenzisa isitifiketi sesibili se-USERTRust. Kodwa empeleni, ukwehluleka kwaqala kumasevisi ewebhu angamakhulu asebenzisa imitapo yolwazi ye-OpenSSL 1.0.x kanye ne-GnuTLS yamahhala. Uxhumano oluvikelekile alukwazanga ukusungulwa ngomlayezo wephutha obonisa ukuthi isitifiketi besiphelelwe isikhathi.
Okulandelayo - Masibhale Ngemfihlo
Esinye isibonelo esihle soshintsho oluzayo lwempande ye-CA yigunya lesitifiketi elithi Masibethele. Okuningi babehlele ukushintsha besuka ku-Identrust chain baye kwelabo i-ISRG Root chain, kodwa lokhu .
"Ngenxa yokukhathazeka mayelana nokushoda kokutholwa kwempande ye-ISRG kumadivayisi e-Android, sinqume ukuhambisa idethi yokuguqulwa kwezimpande zomdabu kusukela ngoJulayi 8, 2019 kuya kuJulayi 8, 2020," kusho isitatimende se-Let's Encrypt.
Usuku bekufanele luhlehliswe ngenxa yenkinga ebizwa ngokuthi βukusakazwa kwezimpandeβ, noma ngokunembile, ukuntuleka kokusakazeka kwezimpande, lapho impande ye-CA ingasatshalaliswa kabanzi kuwo wonke amaklayenti.
I-Let's Encrypt okwamanje isebenzisa isitifiketi esiphakathi esisayinwe ngokuphambano esiboshelwe ku-IdenTrust DST Root CA X3. Lesi sitifiketi sempande sakhishwa ngoSepthemba 2000 futhi siphelelwa yisikhathi ngoSepthemba 30, 2021. Kuze kube yileso sikhathi, i-Let's Encrypt ihlela ukuthuthela e-ISRG Root X1 ezisayinele yona.
Izimpande ze-ISRG zikhishwe ngoJuni 4, 2015. Ngemva kwalokhu, inqubo yokugunyazwa kwayo njengesiphathimandla sokunikeza izitifiketi yaqala, eyaphela . Kusukela kuleli phuzu kuqhubeke, i-CA yempande ibitholakala kuwo wonke amaklayenti ngohlelo lokusebenza noma isibuyekezo sesofthiwe. Okwakumele ukwenze nje ukufaka isibuyekezo.
Kodwa inkinga leyo.
Uma ifoni yakho ephathekayo, i-TV noma enye idivayisi ingazange ibuyekezwe iminyaka emibili, izokwazi kanjani ngesitifiketi esisha se-ISRG Root X1? Futhi uma ungayifaki kusistimu, idivayisi yakho izovala zonke izitifiketi zeseva ethi Masibethele ngokushesha nje ngemva kokuthi Masibethele sishintshela empandeni entsha. Futhi ku-ecosystem ye-Android kunamadivayisi amaningi aphelelwe yisikhathi angazange abuyekezwe isikhathi eside.
I-ecosystem ye-Android
Yingakho i-Let Encrypt ibambezeleke ukuthuthela empandeni yayo ye-ISRG futhi sisasebenzisa okuphakathi okwehlela kumpande we-IdenTrust. Kodwa uguquko kuzodingeka lwenziwe kunoma yikuphi. Futhi usuku lokushintsha impande lunikezwe .
Ukuze uhlole ukuthi i-ISRG X1 impande ifakiwe yini kudivayisi yakho (i-TV, i-set-top box noma elinye iklayenti), vula isayithi lokuhlola. . Uma singekho isexwayiso sokuvikeleka esivelayo, khona-ke yonke into ngokuvamile ihamba kahle.
I-Let Encrypt akuyena yedwa obhekene nenselelo yokuthuthela empandeni entsha. I-Cryptography ku-inthanethi yaqala ukusetshenziswa eminyakeni engaphezu kwengama-20 edlule, ngakho manje isikhathi lapho izitifiketi eziningi zezimpande sezizophelelwa yisikhathi.
Abanikazi bama-smart TV abangazange babuyekeze isofthiwe ye-Smart TV iminyaka eminingi bangase bahlangabezane nale nkinga. Isibonelo, impande entsha ye-GlobalSign yakhululwa ngo-2012, futhi ngemva kokuba amanye ama-Smart TV amadala awakwazi ukwakha iketango kuwo, ngoba awanayo le-CA yempande. Ikakhulukazi, lawa maklayenti awakwazanga ukusungula ukuxhumana okuphephile kuwebhusayithi ye-bbc.co.uk. Ukuxazulula inkinga, abaphathi be-BBC kwadingeka basebenzise iqhinga: bona ngokusebenzisa izitifiketi ezengeziwe eziphakathi, usebenzisa izimpande ezindala ΠΈ , ezingakaboli.
www.bbc.co.uk (Leaf) GlobalSign ECC OV SSL CA 2018 (Intermediate) GlobalSign Root CA - R5 (Intermediate) GlobalSign Root CA - R3 (Intermediate)
Lesi yisixazululo sesikhashana. Inkinga ngeke iphele ngaphandle kokuthi ubuyekeze isofthiwe yeklayenti. I-smart TV empeleni iyikhompuyutha enomkhawulo esebenza nge-Linux. Futhi ngaphandle kwezibuyekezo, izitifiketi zayo zempande nakanjani zizobola.
Lokhu kusebenza kuwo wonke amadivayisi, hhayi ama-TV kuphela. Uma unanoma iyiphi idivayisi exhunywe ku-inthanethi futhi eyakhangiswa njengedivayisi βehlakaniphile,β inkinga yezitifiketi ezibolile cishe iyakukhathaza. Uma idivayisi ingabuyekeziwe, isitolo sezimpande ze-CA sizophelelwa yisikhathi ngokuhamba kwesikhathi futhi ekugcineni inkinga izovela. Ukuthi inkinga yenzeka ngokushesha kangakanani kuncike ekutheni isitolo sempande sigcine ukubuyekezwa nini. Lokhu kungase kube iminyaka embalwa ngaphambi kwedethi yangempela yokukhishwa kwedivayisi.
Kodwa-ke, lena inkinga yokuthi kungani ezinye izinkundla ezinkulu zemidiya zingakwazi ukusebenzisa iziphathimandla zesitifiketi ezizenzakalelayo njenge-Let's Encrypt, kubhala uScott Helme. Awafanele ama-smart TV, futhi inani lezimpande lincane kakhulu ukuqinisekisa ukusekelwa kwesitifiketi kumadivayisi ayigugu. Uma kungenjalo, i-TV ngeke ikwazi ukwethula izinsiza zokusakaza zesimanjemanje.
Isigameko sakamuva ne-AddTrust sibonise ukuthi ngisho nezinkampani ezinkulu ze-IT azikulungele ukuthi isitifiketi sempande siphelelwa yisikhathi.
Kunesixazululo esisodwa kuphela senkinga - buyekeza. Abathuthukisi bamadivayisi ahlakaniphile kufanele banikeze indlela yokubuyekeza isofthiwe nezitifiketi zezimpande kusengaphambili. Ngakolunye uhlangothi, akunanzuzo kubakhiqizi ukuthi baqinisekise ukusebenza kwamadivaysi abo ngemva kokuphelelwa yisikhathi sewaranti.
Source: www.habr.com