Inkampani yeMozilla mayelana nokuqala kokuhlolwa ekwakhiweni kwasebusuku kweFirefox indlela entsha yokuthola izitifiketi ezichithiwe - . I-CRlite ikuvumela ukuthi uhlele ukuhlolwa kokuhoxiswa kwesitifiketi okusebenzayo ngokumelene nesizindalwazi esingethwe kusistimu yomsebenzisi. Ukuqaliswa kwe-CRLite ye-Mozilla ngaphansi kwelayisensi ye-MPL 2.0 yamahhala. Ikhodi yokukhiqiza isizindalwazi kanye nezingxenye zeseva ibhalwe kuyo futhi Hamba. Izingxenye zeklayenti zengezwe kuFirefox ukuze kufundwe idatha kusizindalwazi ngolimi lokugqwala.
Ukuqinisekiswa kwesitifiketi kusetshenziswa izinsiza zangaphandle ngokusekelwe kuphrothokholi esasetshenziswa (I-Online Certificate Status Protocol) idinga ukufinyelela kwenethiwekhi okuqinisekisiwe, kuholela ekubambezelekeni okukhulu ekucutshungulweni kwesicelo (350ms ngokwesilinganiso) futhi inezinkinga zokuqinisekisa ubumfihlo (amaseva e-OCSP aphendula izicelo athola ulwazi mayelana nezitifiketi ezithile, ezingasetshenziswa ukwahlulela ukuthi yini amasayithi avuliwe umsebenzisi). Kukhona futhi ithuba lokuhlola indawo ngokumelene nezinhlu (Uhlu Lokuhoxiswa Kwesitifiketi), kodwa okubi kwale ndlela usayizi omkhulu kakhulu wedatha elandiwe - okwamanje i-database yezitifiketi ezichithiwe ithatha cishe u-300 MB futhi ukukhula kwayo kuyaqhubeka.
Ukuvimba izitifiketi ezifakwe ebucayini futhi zahoxiswa iziphathimandla ezinikeza izitifiketi, iFirefox isebenzise uhlu lwabavinjelwe oluphakathi nendawo kusukela ngo-2015. kuhlanganiswe nokubizelwa isevisi ukuhlonza izenzo ezinonya ezingase zibe khona. I-OneCRL, njenge ku-Chrome, isebenza njengesixhumanisi esimaphakathi esihlanganisa uhlu lwe-CRL olusuka kwabaphathi bezitifiketi futhi inikeze isevisi eyodwa ye-OCSP ephakathi nendawo yokuhlola izitifiketi ezichithiwe, okwenza kube nokwenzeka ukuthi ungathumeli izicelo ngokuqondile kuziphathimandla zesitifiketi. Naphezu komsebenzi omningi wokuthuthukisa ukwethembeka kwesevisi yokuqinisekisa isitifiketi ku-inthanethi, idatha ye-telemetry ibonisa ukuthi ngaphezu kuka-7% wezicelo ze-OCSP ziphelelwe yisikhathi (eminyakeni embalwa edlule lesi sibalo sasingu-15%).
Ngokuzenzakalelayo, uma kungenakwenzeka ukuqinisekiswa nge-OCSP, isiphequluli sibheka isitifiketi njengesivumelekile. Isevisi ingase ingatholakali ngenxa yezinkinga zenethiwekhi kanye nemikhawulo kumanethiwekhi angaphakathi, noma ivinjwe abahlaseli - ukudlula ukuhlola kwe-OCSP ngesikhathi sokuhlasela kwe-MITM, ukumane uvimbele ukufinyelela kusevisi yokuhlola. Ngokwengxenye ukuze kuvinjelwe ukuhlaselwa okunjalo, kusetshenziswe indlela ethile , okukuvumela ukuthi uphathe iphutha lokufinyelela le-OCSP noma ukungatholakali kwe-OCSP njengenkinga ngesitifiketi, kodwa lesi sici singesokuzithandela futhi sidinga ukubhaliswa okukhethekile kwesitifiketi.
I-CRLIte ikuvumela ukuthi uhlanganise ulwazi oluphelele mayelana nazo zonke izitifiketi ezichithiwe zibe isakhiwo esibuyekezwa kalula, esingu-1 MB kuphela ngosayizi, okwenza kube nokwenzeka ukugcina isizindalwazi se-CRL esiphelele ohlangothini lweklayenti.
Isiphequluli sizokwazi ukuvumelanisa ikhophi yaso yedatha emayelana nezitifiketi ezihoxisiwe nsuku zonke, futhi le database izotholakala ngaphansi kwanoma yiziphi izimo.
I-CRlite ihlanganisa ulwazi oluvela , irekhodi lomphakathi lazo zonke izitifiketi ezikhishiwe nezihoxisiwe, kanye nemiphumela yezitifiketi zokuskena ku-inthanethi (uhlu oluhlukahlukene lwe-CRL lweziphathimandla zokunikeza izitifiketi luyaqoqwa futhi ulwazi mayelana nazo zonke izitifiketi ezaziwayo luyahlanganiswa). Idatha ipakishwa kusetshenziswa i-cascade , isakhiwo esingaba nokwenzeka esivumela ukutholwa okungamanga kwento engekho, kodwa okungabandakanyi ukushiywa kwesici esikhona kakade (okungukuthi, okungenzeka ukuthi kukhona okungelona iqiniso kwesitifiketi esifanele kungenzeka, kodwa izitifiketi ezihoxisiwe ziqinisekiswa ukuthi zizokhonjwa).
Ukuze kuqedwe amaphothizithi angamanga, i-CRlite yethule amaleveli okuhlunga okulungisa engeziwe. Ngemuva kokukhiqiza isakhiwo, wonke amarekhodi omthombo ayaseshwa futhi kuhlonzwe noma yimaphi amaphothizithi angamanga. Ngokusekelwe emiphumeleni yaleli sheke, kwakhiwa isakhiwo esengeziwe, esithululelwa kwesokuqala futhi silungise imiphumela engamanga ewumphumela. Ukusebenza kuyaphindwa kuze kube yilapho amaphuzu angamanga ngesikhathi sokuhlolwa kokulawula aqedwa ngokuphelele. Ngokuvamile, ukudala izendlalelo ezingu-7-10 kwanele ukumboza ngokuphelele yonke idatha. Njengoba isimo sedathabhesi, ngenxa yokuvumelanisa ngezikhathi ezithile, sisala kancane ngemuva kwesimo samanje se-CRL, ukubhekwa kwezitifiketi ezintsha ezikhishwe ngemuva kokubuyekezwa kokugcina kwedathabhesi ye-CRLIte kwenziwa kusetshenziswa umthetho olandelwayo we-OCSP, okuhlanganisa ukusebenzisa (impendulo ye-OCSP egunyazwe isiphathimandla sokunikeza izitifiketi idluliswa iseva esebenzela isayithi lapho ixoxisana ngoxhumo lwe-TLS).
Kusetshenziswa izihlungi ze-Bloom, ucezu lwango-December lolwazi oluvela ku-WebPKI, oluhlanganisa izitifiketi ezisebenzayo eziyizigidi eziyi-100 kanye nezitifiketi ezichithiwe eziyizinkulungwane ezingama-750, lukwazile ukupakishwa esakhiweni esingu-1.3 MB ngosayizi. Inqubo yokukhiqiza isakhiwo idinga kakhulu izinsiza, kodwa yenziwa kuseva ye-Mozilla futhi umsebenzisi unikezwa isibuyekezo esenziwe ngomumo. Isibonelo, kufomu kanambambili, idatha yomthombo esetshenziswa ngesikhathi sokukhiqiza idinga cishe u-16 GB wememori uma igcinwe ku-Redis DBMS, futhi ngefomu le-hexadecimal, ukulahlwa kwazo zonke izinombolo ze-serial yesitifiketi kuthatha cishe u-6.7 GB. Inqubo yokuhlanganisa zonke izitifiketi ezihoxisiwe nezisebenzayo ithatha cishe imizuzu engu-40, futhi inqubo yokukhiqiza isakhiwo esipakishiwe esisekelwe kusihlungi se-Bloom ithatha enye imizuzu engu-20.
I-Mozilla njengamanje iqinisekisa ukuthi isizindalwazi se-CRLite sibuyekezwa kane ngosuku (akuzona zonke izibuyekezo ezilethwa kumakhasimende). Ukukhiqizwa kwezibuyekezo ze-delta akukakaqaliswa - ukusetshenziswa kwe-bsdiff4, esetshenziselwa ukudala izibuyekezo ze-delta ukuze kukhishwe, akuhlinzeki ngokusebenza kahle kwe-CRLIte futhi izibuyekezo zinkulu ngokungenangqondo. Ukuze kuqedwe lokhu kudonsela emuva, kuhlelwe ukuthi kusetshenziswe kabusha ifomethi yesakhiwo sokugcina ukuze kuqedwe ukwakhiwa kabusha okungadingekile nokususwa kwezingqimba.
I-CRlite okwamanje isebenza kuFirefox kumodi yokwenziwa futhi isetshenziswa ngokuhambisana ne-OCSP ukuze iqongelele izibalo mayelana nokusebenza okufanele. I-CRlite ingashintshelwa kumodi yokuskena eyinhloko, ukwenza lokhu, udinga ukusetha ipharamitha security.pki.crlite_mode = 2 kokuthi:config.
Source: opennet.ru