Namuhla, Septhemba 30, Impilo yesitifiketi sempande ye-IdenTrust iphelelwe yisikhathi futhi leso isitifiketi isetshenziselwe ukusayina isitifiketi se-Let Encrypt (ISRG Root X1), iphethwe ngumphakathi futhi inikezela ngezitifiketi mahhala kuwo wonke umuntu.
Ifemu iqinisekise ukwethenjwa kwezitifiketi ze-Let Encrypt kumadivayisi ahlukahlukene, amasistimu okusebenza kanye neziphequluli ngenkathi kuhlanganiswa isitifiketi sempande sika-As Encrypt ezitolo zezitifiketi zezimpande.
Bekuhlelwe ekuqaleni ukuthi ngemuva kokuthi i-DST Root CA X3 isiphelelwe yisikhathi, iphrojekthi ethi Masibethele izoshintshela ekukhiqizeni amasiginesha kusetshenziswa isitifiketi sakho kuphela, kepha isinyathelo esinjalo singaholela ekulahlekelweni kokuhambisana ngezinhlelo eziningi ezindala ezingazange. Ikakhulu, cishe ama-30% wamadivayisi we-Android asetshenziswayo awanayo idatha kusitifiketi se-Let Encrypt root, ukusekelwa kwayo okuvele kuphela njengeplatifomu ye-Android 7.1.1, ekhishwe ekupheleni kuka-2016.
I-Let Encrypt ibingahlelelanga ukungena esivumelwaneni esisha sokusayina, njengoba lokhu kubeka umthwalo owengeziwe emaqenjini esivumelwano, kubaphuca inkululeko, futhi kubopha izandla zabo ekuthobeleni zonke izinqubo nemithetho yelinye igunya lesitifiketi.
Kepha ngenxa yezinkinga ezingaba khona kwinani elikhulu lamadivayisi we-Android, uhlelo lwabuyekezwa. Kusayinwe isivumelwano esisha negunya lesitifiketi i-IdenTrust, lapho kwenziwa khona esinye isitifiketi esisayinwe phakathi. Isiginesha yesiphambano izosebenza iminyaka emithathu futhi izoqhubeka nokusebenzisana namadivayisi we-Android kusuka kunguqulo 2.3.6.
Nokho, isitifiketi esisha esimaphakathi asihlanganisi ezinye izinhlelo eziningi zamafa. Isibonelo, ngemuva kokuthi isitifiketi se-DST Root CA X3 siphelelwe yisikhathi (namuhla ngo-Septhemba 30), izitifiketi ze-Let Encrypt ngeke zisamukelwa kuma-firmware nezinhlelo zokusebenza ezingasekelwa, lapho, ukuqinisekisa ukuthembela kuzitifiketi ze-Let Encrypt, uzodinga ukufaka ngesandla Impande ye-ISRG. Isitifiketi se-X1 esitolo sesitifiketi sezimpande. Izinkinga zizozibonakalisa ku:
I-OpenSSL kuze kufike futhi ifaka igatsha i-1.0.2 (ukunakekelwa kwegatsha 1.0.2 kunqanyulwe ngoDisemba 2019);
- I-NSS <3,26
- IJava 8 <8u141, Java 7 <7u151
- Amawindi
- iMacOS <10.12.1
- I-iOS <10 (i-iPhone <5)
- I-Android <2.3.6
- IMozilla Firefox <50
- Ubuntu <16.04
- I-Debian <8
Endabeni ye-OpenSSL 1.0.2, inkinga idalwa yiphutha elivimbela ukuphathwa kahle kwezitifiketi isayinwe uma esinye sezitifiketi zempande esibandakanyeka ekusayineni siphelelwa yisikhathi, noma ngabe amanye amaketanga avumelekile wokuthembana agcinwa.
Inkinga iqale ukuvela ngonyaka odlule ngemuva kokuphela kwesitifiketi se-AddTrust esetshenziselwa ukungena ngemvume kuzitifiketi zegunya lesitifiketi seSectigo (Comodo). Umongo wenkinga ukuthi i-OpenSSL isinciphise isitifiketi njengeketanga elihambisanayo, kanti ngokwe-RFC 4158, isitifiketi singamela ishadi likaphayi elihanjisiwe eliqondiswe ngamahange ahlukahlukene okudingeka abhekwe.
Abasebenzisi bokusabalalisa okudala okususelwa ku-OpenSSL 1.0.2 banikezwa izixazululo ezintathu zokuxazulula inkinga:
- Ngesandla susa isitifiketi sempande se-IdenTrust DST Root CA X3 bese ufaka isitifiketi sempande se-ISRG Root X1 esizimele (akukho ukusayina okuphambene).
- Cacisa inketho ethi "–uthembekile_okokuqala" lapho usebenzisa imiyalo yokuqinisekisa ye-openssl kanye ne-s_client.
- Sebenzisa isitifiketi kuseva esiqinisekiswe isitifiketi sempande se-SRG Root X1 esingasayiniwe (Masibethele sinikeza inketho yokucela isitifiketi esinjalo). Le ndlela izoholela ekulahlekelweni kokuhambisana namakhasimende amadala we-Android.
Ngaphezu kwalokho, iphrojekthi ye-Let Encrypt isidlulise ingqophamlando yezitifiketi eziyizigidi eziyizinkulungwane ezimbili ezenziwe. Ingqophamlando eyizigidi eziyinkulungwane yafezwa ngoFebhuwari wangonyaka odlule. Nsuku zonke kwenziwa izitifiketi ezintsha eziyi-2,2-2,4. Inani lezitifiketi ezisebenzayo liyi-192 million (isitifiketi sisebenza izinyanga ezintathu) futhi sihlanganisa izizinda ezizungeze izigidi ezingama-260 (ngonyaka owedlule bezihlanganisa izizinda eziyizigidi ezingama-195, eminyakeni emibili eyedlule - izigidi eziyi-150, iminyaka emithathu edlule - izigidi ezingama-60).
Ngokwezibalo ezivela kwinsizakalo yeFirefox Telemetry, isabelo somhlaba wonke sezicelo zamakhasi ngaphezulu kwe-HTTPS singama-82% (onyakeni owodwa owedlule - 81%, eminyakeni emibili eyedlule - 77%, eminyakeni emithathu eyedlule - 69%, eminyakeni emine eyedlule - 58%).
Umthombo: https://scotthelme.co.uk/