Kungekudala IMozilla ibhengeze ukumiliselwa kwendlela entsha yokufumanisa isiqinisekiso kurhoxiswa ibizwa ngokuba yi "CRLite" kwaye ifumaneka kwiinguqulelo zobusuku zeFirefox. Le ndlela intsha ivumela ukuhlela ukuqinisekiswa isiqinisekiso esisebenzayo ngokuchasene nesiseko sedatha esibanjwe kwinkqubo yomsebenzisi.
Isiqinisekiso esisetyenzisiweyo ukuza kuthi ga ngoku kusetyenziswa iinkonzo zangaphandle ezisekwe Kwinkqubo ye-OCSP (UMgaqo-nkqubo weSatifikethi seKhompyutha) kufuna ukufikelela okuqinisekileyo kwinethiwekhi, ekhokelela kulibaziseko olubonakalayo ekuqhubeni isicelo (kwi-avareji ye-350 ms) kwaye inemicimbi yokugcinwa kwemfihlo (iiseva eziphendula izicelo ze-OCSP zifumana ulwazi malunga nezatifikethi ezithile, ezinokusetyenziselwa ukugweba ukuba zeziphi iisayithi ezivulwa ngumsebenzisi).
Kwakhona Kukho ithuba lokuqinisekiswa kwendawo ngokuchasene neCRL (Uluhlu lokurhoxiswa kweSatifikethi), kodwa into engalunganga kule ndlela bubungakanani obukhulu bedatha ekhutshelweyoOkwangoku isiseko sedatha sokurhoxiswa sihlala malunga ne-300 MB kwaye ukukhula kwayo kuyaqhubeka.
IFirefox ibisebenzisa uluhlu lwabamnyama lwe-OneCRL ukusukela ngo-2015 ukuvimba izatifikethi ezisengozini kunye nezirhoxisiweyo ngabasemagunyeni bezatifikethi kunye nokufikelela kwinkonzo yokukhangela ngokukhuselekileyo kuGoogle ukumisela isenzo esikhohlakeleyo.
I-OneCRL, njengee-CRLSets kwi-Chrome, isebenza njengesixhumanisi esiphakathi esidibanisa uluhlu lweCRL lweziphathamandla zesatifikethi kwaye ibonelela ngenkonzo enye esembindini ye-OCSP yokuqinisekisa izatifikethi eziurhoxisiweyo, isenza ukuba kube lula ukungathumeli izicelo ngokuthe ngqo kugunyaziwe wesatifikethi.
Ukungagqibeki, ukuba akunakwenzeka ukuba uqinisekise nge-OCSP, isikhangeli sisithathela ingqalelo njengesiqinisekiso. Ngale ndlela ukuba inkonzo ayifumaneki ngenxa yeengxaki zenethiwekhi kunye nezithintelo zenethiwekhi zangaphakathi okanye inokuthintelwa ngabahlaseli ngexesha lokuhlaselwa kweMITM. Ukuphepha olo hlaselo, ubuchule be-Must-Staple buyaphunyezwa, evumela impazamo yokufikelela kwi-OCSP okanye ukungafikeleleki kwe-OCSP ukutolikwa njengengxaki nesatifikethi, kodwa eli nqaku linokuzikhethela kwaye lifuna ukubhaliswa okukodwa kwesiqinisekiso.
Malunga neCRLite
I-CRLite ikuvumela ukuba uzise ulwazi olupheleleyo malunga nazo zonke izatifikethi eziurhoxisiweyo kubume obuhlaziyekayo ngokulula yi-1 MB kuphela, eyenza ukuba kugcinwe yonke i-CRL database kwicala labathengi. Isikhangeli siza kuba nakho ukungqamanisa ikopi yaso yedatha kwizatifikethi ezirhoxisiweyo yonke imihla kwaye le database iya kufumaneka phantsi kwayo nayiphi na imeko.
I-CRLite idibanisa ulwazi oluvela kwi-Transparency, irekhodi loluntu lwazo zonke izatifikethi ezikhutshiweyo nezirhoxisiweyo kunye neziphumo zokuvavanywa kwesatifikethi se-Intanethi (uluhlu lweCRL lwamaziko okuqinisekisa luyaqokelelwa kwaye ulwazi malunga nazo zonke izatifikethi ezaziwayo longezwa).
Idatha ipakishwe kusetyenziswa izihluzi zeBloom, ulwakhiwo olunokwenzeka oluvumela ukumiselwa okungachanekanga kwento elahlekileyo, kodwa kungabandakanyi ukushiywa kwento esele ikhona (Oko kukuthi, ngamathuba athile, iimpazamo ezingezizo zinokubakho zesatifikethi esisebenzayo, kodwa izatifikethi ezibuyisiweyo ziqinisekisiwe ukuba ziya kufunyanwa).
Ukuphelisa ii-alamu zobuxoki, iCRLite yazisa amanqanaba okucoca ulungiso ongezelelweyo. Emva kokuba ulwakhiwo lakhiwe, zonke iirekhodi zomthombo zidwelisiwe kwaye ii-alamu ezingezizo ziyafunyanwa.
Ngokusekwe kwiziphumo zoku kungqinisisa, kuyilelwe ulwakhiwo olongezelelekileyo olungaphaya kolokuqala kwaye lungisa naziphi na ii-alamu ezingezizo ezithe zavela. Umsebenzi uyaphinda-phindwa de kube kungafakwanga iiposta ezingezizo ngexesha lokuqinisekiswa.
Ngokwesiqheloal, ukugubungela ngokupheleleyo yonke idatha, ukwenza i-7-10 yamanqanaba yanele. Kuba imeko yogcino lwedatha ngenxa yokuvumelaniswa kwamaxesha athile isemva kancinci kwimeko yeCRL, ukuqinisekiswa kwezatifikethi ezitsha ezikhutshwe emva kohlaziyo lokugqibela ledatha yeCRLite kuqhutywa kusetyenziswa umthetho olandelwayo. I-OCSP, kubandakanya usetyenziso lwe-OCSP stapling technique.
Ukuphunyezwa kweMozilla kweCRLite kukhutshwa phantsi kwelayisensi yasimahla ye-MPL 2.0. Ikhowudi yokuvelisa isiseko sedatha kunye nezinto zeseva zibhaliwe kwiPython naseGo. Amalungu abaxhasi afakwe kwiFirefox ukufunda idatha kwiziko ledatha zilungiselelwe ngolwimi lweRust.
Umthombo: https://blog.mozilla.org/