Inkampani yeMozilla
Ukuqinisekiswa kwesitifiketi kusetshenziswa izinsiza zangaphandle ngokusekelwe kuphrothokholi esasetshenziswa
Ukuvimba izitifiketi ezifakwe ebucayini futhi zahoxiswa iziphathimandla ezinikeza izitifiketi, iFirefox isebenzise uhlu lwabavinjelwe oluphakathi nendawo kusukela ngo-2015.
Ngokuzenzakalelayo, uma kungenakwenzeka ukuqinisekiswa nge-OCSP, isiphequluli sibheka isitifiketi njengesivumelekile. Isevisi ingase ingatholakali ngenxa yezinkinga zenethiwekhi kanye nemikhawulo kumanethiwekhi angaphakathi, noma ivinjwe abahlaseli - ukudlula ukuhlola kwe-OCSP ngesikhathi sokuhlasela kwe-MITM, ukumane uvimbele ukufinyelela kusevisi yokuhlola. Ngokwengxenye ukuze kuvinjelwe ukuhlaselwa okunjalo, kusetshenziswe indlela ethile
I-CRLIte ikuvumela ukuthi uhlanganise ulwazi oluphelele mayelana nazo zonke izitifiketi ezichithiwe zibe isakhiwo esibuyekezwa kalula, esingu-1 MB kuphela ngosayizi, okwenza kube nokwenzeka ukugcina isizindalwazi se-CRL esiphelele ohlangothini lweklayenti.
Isiphequluli sizokwazi ukuvumelanisa ikhophi yaso yedatha emayelana nezitifiketi ezihoxisiwe nsuku zonke, futhi le database izotholakala ngaphansi kwanoma yiziphi izimo.
I-CRlite ihlanganisa ulwazi oluvela
Ukuze kuqedwe amaphothizithi angamanga, i-CRlite yethule amaleveli okuhlunga okulungisa engeziwe. Ngemuva kokukhiqiza isakhiwo, wonke amarekhodi omthombo ayaseshwa futhi kuhlonzwe noma yimaphi amaphothizithi angamanga. Ngokusekelwe emiphumeleni yaleli sheke, kwakhiwa isakhiwo esengeziwe, esithululelwa kwesokuqala futhi silungise imiphumela engamanga ewumphumela. Ukusebenza kuyaphindwa kuze kube yilapho amaphuzu angamanga ngesikhathi sokuhlolwa kokulawula aqedwa ngokuphelele. Ngokuvamile, ukudala izendlalelo ezingu-7-10 kwanele ukumboza ngokuphelele yonke idatha. Njengoba isimo sedathabhesi, ngenxa yokuvumelanisa ngezikhathi ezithile, sisala kancane ngemuva kwesimo samanje se-CRL, ukubhekwa kwezitifiketi ezintsha ezikhishwe ngemuva kokubuyekezwa kokugcina kwedathabhesi ye-CRLIte kwenziwa kusetshenziswa umthetho olandelwayo we-OCSP, okuhlanganisa ukusebenzisa
Kusetshenziswa izihlungi ze-Bloom, ucezu lwango-December lolwazi oluvela ku-WebPKI, oluhlanganisa izitifiketi ezisebenzayo eziyizigidi eziyi-100 kanye nezitifiketi ezichithiwe eziyizinkulungwane ezingama-750, lukwazile ukupakishwa esakhiweni esingu-1.3 MB ngosayizi. Inqubo yokukhiqiza isakhiwo idinga kakhulu izinsiza, kodwa yenziwa kuseva ye-Mozilla futhi umsebenzisi unikezwa isibuyekezo esenziwe ngomumo. Isibonelo, kufomu kanambambili, idatha yomthombo esetshenziswa ngesikhathi sokukhiqiza idinga cishe u-16 GB wememori uma igcinwe ku-Redis DBMS, futhi ngefomu le-hexadecimal, ukulahlwa kwazo zonke izinombolo ze-serial yesitifiketi kuthatha cishe u-6.7 GB. Inqubo yokuhlanganisa zonke izitifiketi ezihoxisiwe nezisebenzayo ithatha cishe imizuzu engu-40, futhi inqubo yokukhiqiza isakhiwo esipakishiwe esisekelwe kusihlungi se-Bloom ithatha enye imizuzu engu-20.
I-Mozilla njengamanje iqinisekisa ukuthi isizindalwazi se-CRLite sibuyekezwa kane ngosuku (akuzona zonke izibuyekezo ezilethwa kumakhasimende). Ukukhiqizwa kwezibuyekezo ze-delta akukakaqaliswa - ukusetshenziswa kwe-bsdiff4, esetshenziselwa ukudala izibuyekezo ze-delta ukuze kukhishwe, akuhlinzeki ngokusebenza kahle kwe-CRLIte futhi izibuyekezo zinkulu ngokungenangqondo. Ukuze kuqedwe lokhu kudonsela emuva, kuhlelwe ukuthi kusetshenziswe kabusha ifomethi yesakhiwo sokugcina ukuze kuqedwe ukwakhiwa kabusha okungadingekile nokususwa kwezingqimba.
I-CRlite okwamanje isebenza kuFirefox kumodi yokwenziwa futhi isetshenziswa ngokuhambisana ne-OCSP ukuze iqongelele izibalo mayelana nokusebenza okufanele. I-CRlite ingashintshelwa kumodi yokuskena eyinhloko, ukwenza lokhu, udinga ukusetha ipharamitha security.pki.crlite_mode = 2 kokuthi:config.
Source: opennet.ru