Ithimba labacwaningi abavela kumanyuvesi ambalwa e-Germany lenze ukuhlasela okusha kwe-MITM ku-HTTPS okungakhipha amakhukhi weseshini nenye idatha ebucayi, futhi yenze ikhodi ye-JavaScript engafanele emongweni wesinye isayithi. Ukuhlasela kubizwa nge-ALPACA futhi kungasetshenziswa kumaseva e-TLS asebenzisa izivumelwano zesendlalelo sohlelo lokusebenza ezihlukile (HTTPS, SFTP, SMTP, IMAP, POP3), kodwa asebenzise izitifiketi ezivamile ze-TLS.
Ingqikithi yokuhlasela ukuthi uma ekwazi ukulawula isango lenethiwekhi noma indawo yokufinyelela engenantambo, umhlaseli angaqondisa kabusha ithrafikhi yewebhu kwenye ichweba lenethiwekhi futhi ahlele ukusungulwa kokuxhumana ne-FTP noma iseva yemeyili esekela ukubethela kwe-TLS futhi isebenzisa Isitifiketi se-TLS esivamile neseva ye-HTTP , futhi isiphequluli somsebenzisi sizothatha ngokuthi uxhumo seluqalisiwe ngeseva ye-HTTP eceliwe. Njengoba iphrothokholi ye-TLS itholakala emhlabeni wonke futhi ayiboshelwe ezivumelwaneni zezinga lohlelo lokusebenza, ukusungulwa koxhumano olubethelwe lwazo zonke izinsizakalo kuyefana futhi iphutha lokuthumela isicelo kusevisi engalungile linganqunywa kuphela ngemva kokusungulwa kweseshini ebethelwe ngenkathi kucutshungulwa imiyalo yesicelo esithunyelwe.
Ngokufanelekile, uma, ngokwesibonelo, uqondisa kabusha uxhumo lomsebenzisi oluqondiswe ku-HTTPS kuseva yemeyili esebenzisa isitifiketi esabiwe neseva ye-HTTPS, uxhumo lwe-TLS luzosungulwa ngempumelelo, kodwa iseva yemeyili ngeke ikwazi ukucubungula okudlulisiwe. Imiyalo ye-HTTP futhi izobuyisela impendulo enekhodi yephutha. Le mpendulo izocutshungulwa isiphequluli njengempendulo evela endaweni eceliwe, idluliselwe ngaphakathi kweshaneli yokuxhumana ebethelwe ngokuyikho.
Kuhlongozwa izinketho ezintathu zokuhlasela:
- "Layisha" ukuze ubuyise Ikhukhi elinamapharamitha wokuqinisekisa. Indlela iyasebenza uma iseva ye-FTP embozwe yisitifiketi se-TLS ikuvumela ukuthi ulayishe futhi ubuyise idatha yayo. Kulokhu okuhlukile kokuhlasela, umhlaseli angakwazi ukuzuza ukugcinwa kwezingxenye zesicelo sokuqala somsebenzisi se-HTTP, njengokuqukethwe kwesihloko se-Cookie, isibonelo, uma iseva ye-FTP ihumusha isicelo njengefayela lokulondoloza noma ifaka izicelo ezingenayo ngokuphelele. Ukuze ahlasele ngempumelelo, umhlaseli ube esedinga ukuthi ngandlela thize akhiphe okuqukethwe okugciniwe. Lokhu kuhlasela kusebenza ku-Proftpd, Microsoft IIS, vsftpd, filezilla kanye ne-serv-u.
- "Landa" ukuze uhlele ukubhalwa kwe-cross-site (XSS). Indlela isikisela ukuthi umhlaseli, ngenxa yokukhohlisa komuntu ngamunye, angabeka idatha kusevisi esebenzisa isitifiketi esivamile se-TLS, esingase sikhishwe ngokuphendula isicelo somsebenzisi. Ukuhlasela kuyasebenza kumaseva e-FTP ashiwo ngenhla, amaseva e-IMAP namaseva e-POP3 (i-courier, cyrus, kerio-connect ne-zimbra).
- "Reflection" ukuze usebenzise i-JavaScript kumongo wenye isayithi. Indlela isuselwe ekubuyiseleni ingxenye yesicelo kuklayenti, equkethe ikhodi ye-JavaScript ethunyelwe umhlaseli. Ukuhlasela kuyasebenza kumaseva e-FTP ashiwo ngenhla, i-cyrus, i-kerio-connect kanye namaseva e-IMAP e-zimbra, kanye neseva ye-SMTP ye-sendmail.
Isibonelo, uma umsebenzisi evula ikhasi elilawulwa umhlaseli, leli khasi lingaqalisa isicelo sensiza kusuka kusayithi lapho umsebenzisi ane-akhawunti esebenzayo (ngokwesibonelo, bank.com). Ngesikhathi sokuhlasela kwe-MITM, lesi sicelo esiqondiswe kuwebhusayithi ye-bank.com singaqondiswa kabusha kuseva ye-imeyili esebenzisa isitifiketi se-TLS esabiwe ne-bank.com. Njengoba iseva yemeyili ingasinqamuli iseshini ngemva kwephutha lokuqala, izihloko zesevisi nemiyalo efana ne-"POST / HTTP/1.1" kanye nokuthi "Host:" izocutshungulwa njengemiyalo engaziwa (iseva yemeyili izobuyisela "umyalo ongaziwa ongu-500" unhlokweni ngamunye).
Iseva yemeyili ayiziqondi izici zephrothokholi ye-HTTP futhi kuyo izihloko zesevisi kanye nebhulokhi yedatha yesicelo se-POST kucutshungulwa ngendlela efanayo, ngakho-ke emzimbeni wesicelo se-POST ungacacisa umugqa onomyalo wokuthi iseva yemeyili. Isibonelo, ungadlula: MAIL FROM: alert(1); lapho iseva yemeyili izobuyisela khona umlayezo wephutha we-501 alert(1); : ikheli elingalungile: isixwayiso(1); ingase ingalandeli
Le mpendulo izotholwa isiphequluli somsebenzisi, esizosebenzisa ikhodi ye-JavaScript emongweni hhayi kuwebhusayithi yomhlaseli evuliwe ekuqaleni, kodwa kuwebhusayithi ye-bank.com lapho isicelo sithunyelwe khona, njengoba impendulo ifike phakathi nesikhathi esilungile se-TLS. , isitifiketi esiqinisekise ubuqiniso bempendulo ye-bank.com.
Ukuskena kwenethiwekhi yomhlaba wonke kubonise ukuthi ngokuvamile, amaseva ewebhu angaba yizigidi ezingu-1.4 athintwa inkinga, lapho kungenzeka khona ukuhlasela ngokuxuba izicelo kusetshenziswa izivumelwano ezihlukene. Amathuba okuhlaselwa kwangempela kwanqunywa kumaseva ewebhu ayizinkulungwane eziyi-119 okwakukhona kuwo ahambisana namaseva e-TLS asekelwe kwezinye izivumelwano zohlelo lokusebenza.
Izibonelo zokuxhaphaza zilungiselelwe amaseva e-ftp pureftpd, proftpd, microsoft-ftp, vsftpd, filezilla ne-serv-u, i-IMAP ne-POP3 amaseva dovecot, courier, exchange, cyrus, kerio-connect kanye ne-zimbra, amaseva e-SMTP postfix, exim, sendmail , i-mailable, mdaemon ne-opensmtpd. Abacwaningi bafunde ukuthi kungenzeka benze ukuhlasela kuphela kuhlanganiswe namaseva e-FTP, SMTP, IMAP kanye ne-POP3, kodwa kungenzeka ukuthi inkinga ingase yenzeke nakwezinye izivumelwano zohlelo lokusebenza ezisebenzisa i-TLS.
Ukuze uvimbele ukuhlasela, kuhlongozwa ukuthi kusetshenziswe isandiso se-ALPN (Ingxoxo Yephrothokholi Yesendlalelo Sesicelo) ukuze kuxoxiswane ngeseshini ye-TLS kucatshangelwa umthetho olandelwayo wohlelo lokusebenza kanye nesandiso se-SNI (Igama Leseva) ukuze kuhlanganiswe igama lomsingathi uma kusetshenziswa. Izitifiketi ze-TLS ezimboza amagama ambalwa wesizinda. Ehlangothini lesicelo, kunconywa ukuthi ukhawule umkhawulo enanini lamaphutha lapho ucubungula imiyalo, ngemva kwalokho uxhumano lunqanyuliwe. Uhlelo lokuthuthukisa izindlela zokuvimba lokhu kuhlasela lwaqala ngo-Okthoba nyakenye. Izinyathelo ezifanayo zokuphepha sezithathiwe kakade ku-Nginx 1.21.0 (ummeleli we-imeyili), Vsftpd 3.0.4, Courier 5.1.0, Sendmail, FileZill, crypto/tls (Go) kanye ne-Internet Explorer.
Source: opennet.ru