, ΠΈ ngokuhlanganyela bamemezele isandiso esisha se-TLS (DC), ukuxazulula inkinga ngezitifiketi lapho uhlela ukufinyelela kusayithi ngamanethiwekhi okulethwa kokuqukethwe. Izitifiketi ezikhishwe iziphathimandla zesitifiketi zinesikhathi eside sokuqinisekisa, okudala ubunzima lapho kudingekile ukuhlela ukufinyelela kusayithi ngokusebenzisa isevisi yenkampani yangaphandle, egameni layo lapho uxhumano oluvikelekile kufanele lusungulwe, kusukela ekudluliseleni isitifiketi sesayithi endaweni yangaphandle. isevisi idala izinsongo zokuvikeleka ezengeziwe.
Isandiso esisha singase futhi sibe usizo kumasayithi asebenza kwingqalasizinda enkulu esabalalisiwe enenani elikhulu labalinganisi bomthwalo. Ukuqinisekisa Okuthunyelwe kuzogwema ukugcina amakhophi okhiye abayimfihlo bezitifiketi eziyinhloko endaweni ngayinye yokulethwa kokuqukethwe. Ngendlela yakudala, ukuhlasela okuyimpumelelo kunoma yimaphi amaseva abandakanyekayo ekuthumeleni ithrafikhi ye-HTTPS kuzoholela ekulimaleni kuso sonke isitifiketi. Uma okhiye abayimfihlo bedluliselwa kumanethiwekhi okulethwa kokuqukethwe, kuba khona izinsongo zokuvuza kwedatha ngenxa yokucekelwa phansi ngabasebenzi, izenzo zama-ejensi wezobunhloli, noma ukonakala nengqalasizinda ye-CDN.
Uma ukuvuza okubalulekile kunganakwa, labo abafinyelele okhiye bazokwazi ukuzihlanganisa ngokungabonakali kuthrafikhi yesayithi (MITM) isikhathi eside, njengoba izikhathi ezisemthethweni zezitifiketi zibalwa ngezinyanga neminyaka. I-Cloudflare ingavikela okhiye besitifiketi nge amaseva ayisihluthulelo akhethekile asebenza ohlangothini lomnikazi wesayithi, kodwa ukusebenza kule modi kuholela ekubambezelekeni okukhulu ekulethweni kwethrafikhi, kunciphisa ukwethembeka ngenxa yokubonakala kwesixhumanisi esengeziwe futhi kudinga ukuthunyelwa kwengqalasizinda eyinkimbinkimbi.
Isandiso esihlongozwayo se-TLS Ukuqinisekisa Okuthunyelwe sethula ukhiye oyimfihlo omaphakathi owengeziwe, ukuqinisekiswa kwawo okukhawulelwe emahoreni noma izinsuku ezimbalwa (ezingekho ngaphezu kwezinsuku eziyi-7). Lo khiye ukhiqizwa ngokusekelwe kusitifiketi esikhishwe yiziphathimandla zokunikeza isitifiketi futhi ikuvumela ukuthi ugcine ukhiye oyimfihlo wesitifiketi sokuqala uyimfihlo kusukela kumasevisi okulethwa kokuqukethwe, ubanikeze isitifiketi sesikhashana esinesikhathi esifushane sokuphila.
Ukuze ugweme izinkinga zokufinyelela ngemva kokuphelelwa yisikhathi kokhiye omaphakathi, ubuchwepheshe bokubuyekeza okuzenzakalelayo bunikezwa okwenziwa ngasohlangothini lweseva ye-TLS yasekuqaleni. Isizukulwane asidingi ukusebenza mathupha noma ukusebenzisa imibhalo - iseva egunyaziwe edinga ukhiye oyimfihlo, ngaphambi kokuphelelwa isikhathi sokuphila kokhiye wangaphambilini, ithinta iseva yoqobo ye-TLS yesayithi futhi ikhiqiza ukhiye omaphakathi wesikhathi esifushane esilandelayo.
Iziphequluli ezisekela isandiso Seziqinisekiso Ezithunyelwe ze-TLS zizophatha izitifiketi ezinjalo njengezithembekile. Isibonelo, usekelo lwesandiso esishiwo seluvele lwengeziwe ekwakhiweni kwasebusuku kanye nezinguqulo ze-beta zeFirefox futhi singenziwa kusebenze kokuthi:config ngokushintsha isilungiselelo esithi βsecurity.tls.enable_delegated_credentialsβ. Maphakathi noNovemba, ukuhlolwa kuhlelwe futhi ukuthi kwenziwe phakathi kwephesenti elithile labasebenzisi bezinguqulo zokuhlola zeFirefox β", lapho isicelo sokuhlolwa sizothunyelwa kuseva ye-Cloudflare DC ukuze kuhlolwe ikhwalithi yokuqaliswa kwesandiso esisha se-TLS. Ukusekelwa Kwemininingwane Ethunyelwe nakho sekuvele kwakhelwe kulabhulali ngokuqaliswa kwe-TLS 1.3.
Ukucaciswa Kwemininingwane Ethunyelwe kuhanjiswe ekomitini le-IETF (Internet Engineering Task Force), elibhekele ukuthuthukiswa kwezivumelwano ze-inthanethi kanye nezakhiwo, futhi lisesikhundleni. , ethi indinganiso ye-inthanethi. Isandiso Sokuqinisekisa Okuthunyelwe singasetshenziswa kuphela nge-TLSv1.3.
Ukuze ukhiqize okhiye abamaphakathi, udinga ukuthola isitifiketi se-TLS esifaka isandiso esikhethekile se-X.509, okwamanje esisekelwa kuphela isiphathimandla sesitifiketi se-DigiCert.
Source: opennet.ru