I-Mozilla isimemezele ukufakwa kokusekelwa kwabasebenzisi begatsha elizinzile leFirefox lomshini we-ECH (Encrypted Client Hello), oqhubeka nokuthuthukiswa kobuchwepheshe be-ESNI (Encrypted Server Name Indication) futhi yakhelwe ukubethela ulwazi mayelana nemingcele yezikhathi ze-TLS. , njengegama lesizinda eliceliwe. Ikhodi yokusebenza ne-ECH ekuqaleni yengezwe ekukhishweni kweFirefox 85, kodwa yakhutshazwa ngokuzenzakalela. I-Chrome kancane kancane yaqala ukufaka ukwesekwa kwe-ECH kusukela ngokukhululwa kwe-Chrome 115.
Njengoba ngaphezu kokuxhumana ne iseva Ulwazi lwesizinda oluceliwe luvuvukele nge-DNS. Ukuze uthole ukuvikelwa okugcwele, ngaphezu kwe-ECH, kumele usebenzise i-DNS nge-HTTPS noma i-DNS nge-TLS ukuze ubhale ngemfihlo ithrafikhi ye-DNS. I-Firefox ngeke isebenzise i-ECH ngaphandle kokuvumela i-DNS nge-HTTPS kuzilungiselelo. Ungahlola ukwesekwa kwe-ECH kusiphequluli sakho kuleli khasi.
Enye yezinto ezenze i-ECH yasekela ngokuzenzakalelayo kuFirefox ukufakwa kwe-Cloudflare kokusekelwa kwe-ECH kunethiwekhi yayo yokulethwa kokuqukethwe ezinsukwini ezimbalwa ezedlule. Ngasohlangothini olusebenzayo, njengoba idatha mayelana nababungazi abaceliwe lapho usebenzisa i-ECH ifihliwe ekuhlaziyweni, ukuhlunga nokuvimba amasayithi angafuneki kusetshenziswa i-Cloudflare CDN manje kuzodinga ukuvimba yonke inethiwekhi ye-Cloudflare, kuvinjwe zonke izicelo ezivela ku-ECH, noma ukuhlela ukunqanyulwa kwe-HTTPS kusetshenziswa izitifiketi zezimpande ezingamanga. ohlelweni lomsebenzisi.
Ekuqaleni, ukuhlela umsebenzi ekhelini elilodwa le-IP lamasayithi amaningana e-HTTPS, kwasetshenziswa isandiso se-TLS SNI, lapho igama lomsingathi oceliwe laboniswa kumlayezo we-ClientHello odluliselwe ngaphambi kokusungula isiteshi sokuxhumana esibethelwe. Lesi sici senze kwaba nokwenzeka ukusabalalisa izicelo kubo bonke ababungazi ababonakalayo ekuqaleni kokucutshungulwa kokuxhumana, kodwa futhi kwenze kwaba nokwenzeka ngasohlangothini lwe-ISP ukuhlunga ngokukhetha ithrafikhi ye-HTTPS nokuhlaziya ukuthi yimaphi amasayithi avuliwe umsebenzisi, angazange avumele ukuzuza ubumfihlo obuphelele lapho usebenzisa. I-HTTPS.
Ukuze kuxazululwe le nkinga futhi kuvinjwe ukuvuza kolwazi mayelana nesayithi eliceliwe, kamuva kwahlongozwa isandiso se-ESNI esisebenzisa ukubethela kwedatha ngegama lomsingathi. Ngesikhathi sokusetshenziswa kwe-ESNI, kwavezwa ukuthi indlela ehlongozwayo ayihlanganisi yonke imithombo engaba khona yokuvuza kwedatha futhi ukusetshenziswa kwayo akwanele ukuze kuqinisekiswe ukugcinwa kuyimfihlo okuphelele kwamaseshini e-HTTPS. Ikakhulukazi, lapho uqala kabusha iseshini esungulwe ngaphambilini, igama lesizinda embhalweni ocacile laqhubeka nokucaciswa phakathi kwemingcele yesandiso se-PSK (Pre-Shared Key) TLS. Ngaphezu kwalokho, imizamo yokusebenzisa i-ESNI ihlonze izinkinga zokuhambisana nokukala ezivimbele ukwamukelwa okusabalele kwe-ESNI.
Ngokucabangela ukushiyeka okuhlonziwe kwe-ESNI, kwasungulwa indlela entsha yendawo yonke ye-ECH evumela ukubethelwa kwamapharamitha anoma yiziphi izandiso ze-TLS. Ngobuchwepheshe, umehluko omkhulu phakathi kwe-ECH ne-ESNI ukuthi esikhundleni sezinkambu ngazinye, wonke umlayezo we-ClientHello ubethelwa ngesikhathi esisodwa. I-ECH ihlanganisa ukuhlukanisa i-ClientHello ibe imilayezo emibili ehlukene - umlayezo obethelwe we-ClientHelloInner (SNI Inner) kanye nomlayezo ongabhaliwe ongaphansi we-ClientHelloOuter (SNI Outer). I-SNI Outer engabetheliwe iphethe idatha engeyona yobumfihlo njengenguqulo ye-TLS kanye nohlu lwama-cipher asetshenzisiwe, kanye negama lesizinda elivamile elingadluleli negama langempela lesizinda esiceliwe. Isibonelo, kuwo wonke amaklayenti e-Cloudflare, i-SNI Outer engabhaliwe icacisa umsingathi ovamile "cloudflare-ech.com", kodwa igama langempela lomsingathi oceliwe lidluliselwa ku-SNI Inner ebethelwe futhi ayitholakali ukuze ihlaziywe.
I-ECH isebenzisa futhi uhlelo oluhlukile lokusabalalisa ukhiye wokubethela: ulwazi lokhiye womphakathi ludluliselwa kumarekhodi e-HTTPSVC DNS kunamarekhodi e-TXT. Ukubethela okuqinisekisiwe kokuphela kusukela ekuqaleni kuya ekugcineni okusekelwe kunqubo ye-HPKE (Hybrid Public Key Encryption) kusetshenziselwa ukuthola nokubethela ukhiye. I-ECH iphinde isekele ukudluliselwa kabusha kokhiye okuphephile kusuka kuseva, okungasetshenziswa uma kwenzeka ukujikeleziswa kokhiye. iseva kanye nokuxazulula izinkinga ngokuthola okhiye abaphelelwe yisikhathi ku-DNS cache.
Source: opennet.ru
