I-CRLite, indlela entsha yeMozilla yokuqinisekiswa kwesitifiketi se-TLS

I-Firefox Logo

Muva nje IMozilla imemezele ukwethulwa kwendlela entsha yokuthola izitifiketi ukuhoxiswa ibizwa nge- "CRLite" futhi etholakala ezinhlokweni zasebusuku zeFirefox. Le ndlela entsha ivumela ukuhlela ukuqinisekiswa ukususwa kwesitifiketi okusebenzayo ngokumelene nedatha ebanjwe ohlelweni lomsebenzisi.

Ukuqinisekiswa kwesitifiketi kusetshenzisiwe kuze kube manje ngokusetshenziswa kwezinsizakalo zangaphandle ezisuselwe Kumthetho olandelwayo we-OCSP (I-Protocol Yesimo Sesitifiketi Esiku-inthanethi) kudinga ukufinyelela okuqinisekisiwe kunethiwekhi, okuholela ekubambezelweni okubonakalayo ekuqhubekeni kwesicelo (ngokwesilinganiso sama-350 ms) futhi kunezinkinga zobumfihlo (amaseva aphendula izicelo i-OCSP ithola imininingwane ngezitifiketi ezithile, ezingasetshenziswa ukwahlulela ukuthi imaphi amasayithi avulwa umsebenzisi).

Futhi kukhona ithuba lokuqinisekiswa kwasendaweni ngokumelene neCRL (Uhlu lokusulwa kwesitifiketi), kepha okubi kwale ndlela ngosayizi omkhulu wedatha elandiweNjengamanje i-database yokuchithwa kwesitifiketi ithatha cishe ama-300 MB futhi ukukhula kwayo kuyaqhubeka.

IFirefox ibilokhu isebenzisa uhlu olumnyama lwe-OneCRL kusukela ngo-2015 ukuvimba izitifiketi eziye zaphazanyiswa futhi zahoxiswa iziphathimandla zezitifiketi kanye nokufinyelela kwinsizakalo yokuphequlula ephephile ye-Google ukunquma ukuthi kungenzeka yini umsebenzi onobungozi.

I-OneCRL, njengama-CRLSets ku-Chrome, isebenza njengesixhumanisi esimaphakathi esihlanganisa uhlu lwe-CRL lweziphathimandla zesitifiketi futhi inikezela ngesevisi eyodwa ye-OCSP yokuqinisekisa izitifiketi ezisusiwe, okwenza ukuthi kungathunyelwa izicelo ngqo kuziphathimandla zesitifiketi.

Okuzenzakalelayo, uma kungenakwenzeka ukuqinisekisa nge-OCSP, isiphequluli sibheka isitifiketi njengesivumelekile. Ngale ndlela uma isevisi ingatholakali ngenxa yezinkinga zenethiwekhi nemikhawulo yenethiwekhi yangaphakathi noma ukuthi ingavinjelwa abahlaseli ngesikhathi sokuhlaselwa kweMITM. Ukugwema ukuhlaselwa okunjalo, inqubo ye-Must-Staple iyasetshenziswa, evumela iphutha lokufinyelela le-OCSP noma ukufinyeleleka kwe-OCSP ukuthi kuhunyushwe njengenkinga yesitifiketi, kepha lesi sici siyakhethwa futhi sidinga ukubhaliswa okukhethekile kwesitifiketi.

Mayelana neCRLite

I-CRLite ikuvumela ukuthi ulethe imininingwane ephelele mayelana nazo zonke izitifiketi ezihoxisiwe ngesakhiwo esivuseleleka kalula yi-1 MB kuphela, okwenza kube nokwenzeka ukugcina yonke i-database ye-CRL ohlangothini lwekhasimende. Isiphequluli sizokwazi ukuvumelanisa nsuku zonke ikhophi laso lezitifiketi ezisusiwe futhi le database izotholakala ngaphansi kwanoma yiziphi izimo.

I-CRLite ihlanganisa imininingwane kusuka ku-Transparency yeSitifiketi, irekhodi lomphakathi lazo zonke izitifiketi ezikhishiwe nezichithiwe kanye nemiphumela yokuskena izitifiketi ze-Intanethi (kuqoqwa izinhlu ezahlukahlukene zeCRL zezikhungo zokuqinisekisa futhi imininingwane mayelana nazo zonke izitifiketi ezaziwayo iyangezwa).

Idatha igcwele kusetshenziswa izihlungi zeBloom, isakhiwo esinokwenzeka esivumela ukucaciswa okungamanga kwento elahlekile, kepha akufaki ukushiywa kwento ekhona (okungukuthi, ngokungenzeka okuthile, izinzuzo ezingamanga kungenzeka ngesitifiketi esivumelekile, kodwa izitifiketi ezihoxisiwe ziqinisekisiwe ukutholakala).

Ukususa ama-alamu amanga, i-CRLite yethule amanye amazinga wokuhlunga wokulungisa. Ngemuva kokwakhiwa kwesakhiwo, wonke amarekhodi omthombo afakwa kuhlu futhi kutholakale ama-alamu angamanga.

Ngokuya ngemiphumela yalokhu kuqinisekisa, kwakhiwa isakhiwo esingeziwe esidlulela kwesokuqala futhi silungise noma yimaphi ama-alamu amanga aqhamukile. Umsebenzi uyaphindwa kuze kube yilapho izinzuzo zamanga zikhishwa ngokuphelele ngesikhathi sokuqinisekiswa.

Ngokuvamileal, ukumboza yonke idatha, ukudala izingqimba eziyi-7-10 kwanele. Njengoba isimo sedathabheyisi ngenxa yokuvumelanisa ngezikhathi ezithile sisemuva kancane kwesimo se-CRL, ukuqinisekiswa kwezitifiketi ezintsha ezikhishwe ngemuva kokuvuselelwa kokugcina kwedatha yeCRLite kwenziwa kusetshenziswa umthetho olandelwayo i-OCSP, kufaka phakathi ukusetshenziswa kwendlela yokuhlanganisa ye-OCSP .

Ukuqaliswa kwe-CRLite kweMozilla kukhishwa ngaphansi kwelayisense yamahhala ye-MPL 2.0. Ikhodi yokukhiqiza i-database kanye nezinto zeseva zibhalwe ku-Python naku-Go. Izingxenye zamakhasimende zengezwe kuFirefox ukufunda idatha kusuka ku-database zilungiselelwe ngolimi lweRust.

Umthombo: https://blog.mozilla.org/


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.