A yau, 30 ga Satumba, IdenTrust takardar shaidar tushen rayuwa ta ƙare kuma shine wannan takardar shaidar an yi amfani da shi don sa hannu takardar shaidar Bari Mu Encrypt (ISRG Akidar X1), al'umma ke sarrafawa kuma suna ba da takaddun shaida kyauta ga kowa.
Kamfanin ya tabbatar da amincin takaddun shaida Bari mu Encrypt akan na'urori iri -iri, tsarin aiki da masu bincike yayin haɗar da takardar shaidar tushen Mu Encrypt a cikin shagunan takardar shaidar tushe.
Da farko an shirya cewa bayan DST Root CA X3 ya ƙare, aikin Bari mu Encrypt zai canza zuwa samar da sa hannu ta amfani da takaddar ku kawai, amma irin wannan matakin zai haifar da asarar jituwa tare da yawancin tsoffin tsarin da ba su yi ba. Musamman, kusan kashi 30% na na'urorin Android da ake amfani da su ba su da bayanai kan takardar shaidar Bari Mu Encrypt, wanda tallafinsa ya bayyana kawai kamar na dandalin Android 7.1.1, wanda aka saki a ƙarshen 2016.
Bari Encrypt bai yi niyyar shiga sabuwar yarjejeniya ta sa hannun hannu ba, saboda wannan yana ɗaukar ƙarin nauyi ga ɓangarorin da ke cikin yarjejeniyar, yana hana su 'yancin kai da haɗa hannayensu wajen bin duk hanyoyin da ƙa'idodin wata hukuma ta takaddun shaida.
Amma saboda matsaloli masu yuwuwa akan adadi mai yawa na na'urorin Android, an yi bitar shirin. An rattaba hannu kan sabuwar yarjejeniya tare da ikon takardar shaidar IdenTrust, wanda a ƙarƙashinsa aka ƙirƙiri wani madadin Bari mu Encrypt takaddar sa hannun hannu. Sa hannun giciye zai yi aiki na shekaru uku kuma zai ci gaba da dacewa da na'urorin Android daga sigar 2.3.6.
Duk da haka, sabon takardar shaidar tsaka -tsaki ba ta ƙunshi sauran tsarin gado. Misali, bayan da takardar shaidar DST Root CA X3 ta ƙare (a yau 30 ga Satumba), Ba za a ƙara yarda da Takaddun Takaddun Shaida akan firmware mara tallafi da tsarin aiki, wanda, don tabbatar da dogaro a cikin Takaddun shaida na Encrypt, kuna buƙatar ƙara da hannu da hannu. Tushen ISRG. X1 takardar shaidar zuwa tushen takardar shaidar tushe. Matsalolin za su bayyana kansu a cikin:
OpenSSL har zuwa ciki har da 1.0.2 reshen (an daina kula da reshe 1.0.2 a watan Disamba 2019);
- NSS <3,26
- Java 8 <8u141, Java 7 <7u151
- Windows
- macOS <10.12.1
- iOS <10 (iPhone <5)
- Android <2.3.6
- Mozilla Firefox <50
- Ubuntu <16.04
- Debian <8
A cikin yanayin OpenSSL 1.0.2, matsalar ta samo asali ne daga kuskuren da ke hana gudanar da takaddun shaida daidai sa hannu-hannu idan ɗaya daga cikin tushen takaddun shaida da ke da hannu cikin sa hannu ya ƙare, kodayake ana kiyaye wasu ingantattun sarƙoƙi na amana.
Matsalar ya fara fitowa a bara bayan karewar takardar shaidar AddTrust da aka yi amfani da shi don rattaba hannu kan takaddun shaida na ikon takardar shaidar Sectigo (Comodo). Zuciyar matsalar ita ce OpenSSL ta ba da takardar shaidar azaman sarkar mai layi, yayin da a cewar RFC 4158, takardar shaidar na iya wakiltar ginshiƙi da aka rarraba tare da wasu amintattun amintattu waɗanda ke buƙatar la'akari.
Ana ba masu amfani da tsoffin rarrabawa bisa OpenSSL 1.0.2 mafita uku don warware matsalar:
- Da hannu cire IdenTrust DST Tushen CA X3 takardar shaidar tushe kuma shigar da takaddar tushen tushen ISRG Tushen X1 (babu sa hannun giciye).
- Ƙayyade zaɓin "–trusted_first" lokacin gudanar da tabbatarwar openssl da umarnin s_client.
- Yi amfani da takaddun shaida akan sabar wanda ke da tabbataccen takaddar tushen tushen SRG Root X1 wanda ba a sanya hannu ba (Bari mu Encrypt yana ba da zaɓi don buƙatar irin wannan takardar shaidar). Wannan hanyar zata haifar da asarar jituwa tare da tsoffin abokan ciniki na Android.
Bugu da kari, aikin Bari Mu Encrypt ya wuce matakin mafi girman takaddun biliyan biyu da aka samar. An cimma wannan muhimmin mataki na biliyan daya a watan Fabrairun bara. Kowace rana ana samar da sabbin takaddun shaida miliyan 2,2-2,4. Adadin takaddun shaida masu aiki sun kai miliyan 192 (takardar shaidar tana aiki na watanni uku) kuma tana rufe yanki miliyan 260 (shekara guda da ta gabata ta rufe yankuna miliyan 195, shekaru biyu da suka gabata - miliyan 150, shekaru uku da suka gabata - miliyan 60).
Dangane da ƙididdiga daga sabis ɗin Telemetry na Firefox, rabon buƙatun shafi na kan HTTPS shine 82%(shekara ɗaya da ta gabata - 81%, shekaru biyu da suka gabata - 77%, shekaru uku da suka gabata - 69%, shekaru huɗu da suka gabata - 58%).
Source: https://scotthelme.co.uk/