NgoSepthemba 30 ngo-17:01 ngesikhathi saseMoscow, isitifiketi sempande ye-IdenTrust (DST Root CA X3), esasetshenziselwa ukusayina isitifiketi esiyimpande segunya lesitifiketi le-Let Encrypt (ISRG Root X1), elilawulwa umphakathi futhi inikeza izitifiketi mahhala kuwo wonke umuntu, ziphelelwa yisikhathi. Ukusayinda okuphambene kuqinisekise ukuthi izitifiketi ze-Let Encrypt zithenjwa kumadivayisi amaningi abanzi, amasistimu wokusebenza, neziphequluli kuyilapho isitifiketi sempande ye-Let's Bethela sihlanganiswe ezitolo zezitifiketi zezimpande.
Ekuqaleni kwakuhlelwe ukuthi ngemva kokuhoxiswa kwe-DST Root CA X3, iphrojekthi ethi Let’s Encrypt izoshintshela ekukhiqizeni amasiginesha kusetshenziswa isitifiketi sayo esiyimpande kuphela, kodwa ukuthutha okunjalo kuzoholela ekulahlekelweni kokuhambisana nenani elikhulu lamasistimu amadala angazange. engeza isitifiketi sempande ethi Masibethele kumakhosombe abo. Ikakhulukazi, cishe u-30% wamadivayisi e-Android asetshenziswayo awanayo idatha kusitifiketi sempande ye-Let's Encrypt, usekelo oluvele kuphela ngeplathifomu ye-Android 7.1.1, ekhishwe ekupheleni kuka-2016.
I-Let Encrypt ayizange ihlele ukungena esivumelwaneni esisha sokusayina, njengoba lokhu kubeka umthwalo owengeziwe emaqenjini esivumelwaneni, kubaphuca ukuzimela futhi kubophe izandla zabo ngokuhambisana nazo zonke izinqubo nemithetho yesinye isiphathimandla sokunikeza izitifiketi. Kodwa ngenxa yezinkinga ezingaba khona ngenani elikhulu lamadivayisi e-Android, uhlelo lubuyekeziwe. Isivumelwano esisha siphothulwe nesiphathimandla sesitifiketi se-IdenTrust, ngaphakathi kohlaka lapho kwadalwa esinye isitifiketi esisayinwe ngokuphambana esithi Masibethele. Isiginesha ephambene izosebenza iminyaka emithathu futhi izogcina ukusekelwa kwamadivayisi e-Android kuqala ngenguqulo 2.3.6.
Nokho, isitifiketi esisha esimaphakathi asibandakanyi ezinye izinhlelo eziningi zefa. Isibonelo, uma isitifiketi se-DST Root CA X3 sihoxiswa ngo-September 30, izitifiketi ze-Let's Encrypt ngeke zisamukelwa ku-firmware engasekelwe namasistimu okusebenza adinga ukungeza mathupha isitifiketi se-ISRG Root X1 esitolo sesitifiketi sezimpande ukuze kuqinisekiswe ukwethenjwa kwezitifiketi ze-Let's Encrypt. . Izinkinga zizoziveza ku:
- I-OpenSSL kuze kufike egatsheni elingu-1.0.2 lihlanganisiwe (ukugcinwa kwegatsha 1.0.2 kuyekwa ngo-December 2019);
- I-NSS < 3.26;
- Java 8 < 8u141, Java 7 < 7u151;
- IWindows <XP SP3;
- macOS <10.12.1;
- iOS <10 (iPhone < 5);
- I-Android <2.3.6;
- I-Mozilla Firefox <50;
- Ubuntu <16.04;
- I-Debian <8.
Esimeni se-OpenSSL 1.0.2, inkinga ibangelwa isiphazamisi esivimbela izitifiketi ezisayinwe ngokuphambene ukuthi zicutshungulwe ngendlela efanele uma esinye sezitifiketi zempande ezisetshenziselwa ukusayina siphelelwa yisikhathi, ngisho noma amanye amaketango avumelekile okuthenjwa asekhona. Inkinga iqale ukuvela ngonyaka odlule ngemuva kokuthi isitifiketi se-AddTrust esisetshenziswa ukusayina izitifiketi ezivela kwabaphathi bezitifiketi zeSectigo (Comodo) siphelelwe yisikhathi. Umnyombo wenkinga ukuthi i-OpenSSL ihlukanise isitifiketi njengochungechunge lomugqa, kanti ngokusho kwe-RFC 4158, isitifiketi singamela igrafu eyindilinga esabalalisiwe enamahange amaningi okuthenjwa okudingeka acatshangelwe.
Abasebenzisi bokusabalalisa okudala okusekelwe ku-OpenSSL 1.0.2 banikezwa ama-workaround amathathu ukuxazulula inkinga:
- Ukhiphe mathupha isitifiketi sempande ye-IdenTrust DST Root CA X3 futhi wafaka esizimele sodwa (esingasayiniwe ngokuphambene) nesitifiketi sempande se-ISRG Root X1.
- Uma usebenzisa imiyalo ye-openssl verify kanye ne-s_client, ungacacisa inketho ethi "-trusted_first".
- Sebenzisa kuseva isitifiketi esigunyazwe yisitifiketi sempande esihlukile i-SRG Root X1, esingenayo isignesha ephambene. Le ndlela izoholela ekulahlekelweni ukusebenzisana namaklayenti amadala e-Android.
Ukwengeza, singaqaphela ukuthi iphrojekthi ethi Masibethele isinqobe ingqophamlando yezitifiketi ezikhiqizwe eziyizigidi eziyizinkulungwane ezimbili. Ingqophamlando eyisigidigidi yafinyelelwa ngoFebhuwari wonyaka odlule. 2.2-2.4 million izitifiketi ezintsha ezikhiqizwa nsuku zonke. Inani lezitifiketi ezisebenzayo liyizigidi ezingu-192 (isitifiketi sisebenza izinyanga ezintathu) futhi sihlanganisa izizinda ezingaba yizigidi ezingu-260 (izizinda eziyizigidi ezingu-195 zahlanganiswa ngonyaka odlule, izigidi ezingu-150 eminyakeni emibili edlule, izigidi ezingu-60 eminyakeni emithathu edlule). Ngokwezibalo zenkonzo yeFirefox Telemetry, isabelo somhlaba wonke sezicelo zekhasi nge-HTTPS singama-82% (onyakeni odlule - 81%, eminyakeni emibili edlule - 77%, eminyakeni emithathu edlule - 69%, eminyakeni emine edlule - 58%).
Source: opennet.ru