2024年8月

Website operators who will be impacted by the upcoming change in Chrome for new TLS certificates issued after October 31, 2024 can explore continuity options offered by Entrust. Entrust has expressed its commitment to continuing to support customer needs, and is best positioned to describe the available options for website operators. Learn more at Entrust’s TLS Certificate Information Center.

The Chrome Security Team prioritizes the security and privacy of Chrome’s users, and we are unwilling to compromise on these values.

The Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.

Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.

In response to the above concerns and to preserve the integrity of the Web PKI ecosystem, Chrome will take the following actions.

在2024年10月31日之后发布的新TLS证书即将受到Chrome浏览器变化影响的网站运营商可以探索委托提供的连续性选项。托付已经表达了继续支持客户需求的承诺,并且最适合描述网站运营商的可用选项。在委托的TLS证书信息中心了解更多信息。

Chrome安全团队优先考虑Chrome用户的安全和隐私,我们不愿意在这些价值观上妥协。

Chrome根程序政策规定,包含在Chrome根存储中的CA证书必须为Chrome最终用户提供超过其继续包含的风险的价值。它还描述了当CA所有者披露和响应事件时我们认为重要的许多因素。当事情不顺利时,我们期望CA所有者承诺进行有意义的和可证明的更改,从而产生可证明的持续改进。

在过去的几年中,公开披露的事件报告强调了委托的相关行为模式,这些行为没有达到上述期望,并且削弱了对其作为公众信任的CA所有者的能力,可靠性和完整性的信心。

为了回应上述问题并维护Web PKI生态系统的完整性,Chrome将采取以下行动。

今天,我们宣布我们打算尽快终止对在线证书状态协议(OCSP)的支持,转而支持证书撤销列表(crl)。
Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible.

OCSP和crl都是ca通信证书撤销信息的机制,但是crl比OCSP有明显的优势。
OCSP and CRLs are both mechanisms by which CAs can communicate certificate revocation information, but CRLs have significant advantages over OCSP.

Let 's Encrypt自近十年前推出以来一直提供OCSP响应器。
Let’s Encrypt has been providing an OCSP responder since our launch nearly ten years ago.

我们在2022年增加了对crl的支持。
We added support for CRLs in 2022.

网站和访问它们的人不会受到这一变化的影响,但一些非浏览器软件可能会受到影响。
Websites and people who visit them will not be affected by this change, but some non-browser software might be.

我们计划终止对OCSP的支持,主要是因为它对互联网上的隐私构成了相当大的风险。
We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet.

当有人使用浏览器或其他通过OCSP检查证书撤销的软件访问网站时,操作OCSP响应器的证书颁发机构(CA)立即意识到访问者的特定IP地址正在访问哪个网站。
When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address.

即使CA有意不保留这些信息(Let’s Encrypt就是这种情况),CA也可能在法律上被强制收集这些信息。
Even when a CA intentionally does not retain this information, as is the case with Let’s Encrypt, CAs could be legally compelled to collect it.

crl没有这个问题。
CRLs do not have this issue.

我们之所以采取这一步骤,还因为保持CA基础设施尽可能简单对于Let’s Encrypt的一致性、可靠性和效率的连续性至关重要。
We are also taking this step because keeping our CA infrastructure as simple as possible is critical for the continuity of compliance, reliability, and efficiency at Let’s Encrypt.

自我们成立以来的每一年,营运OCSP服务都占用了相当多的资源,而这些资源本可以更好地用于我们其他方面的运作。
For every year that we have existed, operating OCSP services has taken up considerable resources that can soon be better spent on other aspects of our operations.

现在我们支持crl,我们的OCSP服务就没有必要了。
Now that we support CRLs, our OCSP service has become unnecessary.

2023年8月,CA/浏览器论坛通过了一项投票,决定为公开信任的CA(如Let’s Encrypt)提供可选的OCSP服务。
In August of 2023 the CA/Browser Forum passed a ballot to make providing OCSP services optional for publicly trusted CAs like Let’s Encrypt.

除了一个例外,微软,根程序本身不再需要OCSP。
With one exception, Microsoft, the root programs themselves no longer require OCSP.

一旦微软根程序也使OCSP可选,我们乐观地认为这将在未来6到12个月内发生,Let 's Encrypt打算宣布关闭我们的OCSP服务的具体和快速时间表。
As soon as the Microsoft Root Program also makes OCSP optional, which we are optimistic will happen within the next six to twelve months, Let’s Encrypt intends to announce a specific and rapid timeline for shutting down our OCSP services.

我们希望在公告发布后的三到六个月内提供最后一次OCSP响应。
We hope to serve our last OCSP response between three and six months after that announcement.

了解这些计划更新的最佳方式是订阅我们在Discourse上的API announcement类别。
The best way to stay apprised of updates on these plans is to subscribe to our API Announcements category on Discourse.

我们建议现在依赖OCSP服务的任何人尽快开始结束这种依赖的过程。
We recommend that anyone relying on OCSP services today start the process of ending that reliance as soon as possible.

如果您使用Let 's Encrypt证书来保护非浏览器通信(如VPN),则如果证书不包含OCSP URL,则应确保您的软件正常运行。
If you use Let’s Encrypt certificates to secure non-browser communications such as a VPN, you should ensure that your software operates correctly if certificates contain no OCSP URL.

幸运的是,大多数OCSP实现“打开失败”,这意味着无法获取OCSP响应不会破坏系统。
Fortunately, most OCSP implementations “fail open” which means that an inability to fetch an OCSP response will not break the system.

互联网安全研究小组(ISRG)是Let’s Encrypt、Prossimo和Divvi Up的上级组织。
Internet Security Research Group (ISRG) is the parent organization of Let’s Encrypt, Prossimo, and Divvi Up.

ISRG是一家501(c)(3)非营利组织。
ISRG is a 501(c)(3) nonprofit.

如果你想支持我们的工作,请考虑参与,捐赠,或鼓励你的公司成为赞助商。
If you’d like to support our work, please consider getting involved, donating, or encouraging your company to become a sponsor.

身份威胁检测与响应的出现#
The Emergence of Identity Threat Detection and Response#

身份威胁检测与响应(ITDR)已成为有效检测和响应基于身份的攻击的关键组成部分。
Identity Threat Detection and Response (ITDR) has emerged as a critical component to effectively detect and respond to identity-based attacks.

威胁参与者已经展示了他们破坏身份基础设施并横向移动到IaaS、Saas、PaaS和CI/CD环境的能力。
Threat actors have shown their ability to compromise the identity infrastructure and move laterally into IaaS, Saas, PaaS and CI/CD environments.

身份威胁检测和响应解决方案可帮助组织更好地检测其环境中的可疑或恶意活动。
Identity Threat Detection and Response solutions help organizations better detect suspicious or malicious activity in their environment.

ITDR解决方案使安全团队能够帮助团队回答“我的环境中正在发生什么—我的身份在我的环境中正在做什么”这个问题。
ITDR solutions give security teams the ability to help teams answer the question "What's happening right now in my environment - what are my identities doing in my environments."

人类和非人类身份#
Human and Non-Human Identities#

正如ITDR解决方案指南中概述的那样,全面的ITDR解决方案涵盖了人类和非人类身份。
As outlined in the ITDR Solution Guide, comprehensive ITDR solutions cover both human and non-human identities.

人的身份包括劳动力(雇员)、客人(承包商)和供应商。
Human identities entail the workforce (employees), guests (contractors), and vendors.

非人类身份包括令牌、密钥、服务帐户和机器人。
Non-human identities include tokens, keys, service accounts, and bots.

多环境ITDR解决方案可以检测并响应所有身份实体风险,例如从IdP到IaaS和SaaS层,而不是在特定层的分散级别上保护身份。
Multi- environment ITDR solutions can detect and respond to all identity entity risk for example from the IdP to the IaaS and SaaS layers, as opposed to securing identities in a fragmented layer-specific level.

核心ITDR功能#
Core ITDR Capabilities#

ITDR解决方案的基本功能包括:
The essential capabilities of an ITDR solution include:

为所有实体开发通用身份配置文件,包括人类和非人类身份、跨云服务层和内部部署应用程序和服务的活动。
Developing a universal identity profile for all entities, including human and non-human identity, activity across cloud service layers and on-prem applications and services.

将这些标识的静态分析、状态管理和配置与环境中这些标识的运行时活动配对。
Pairing static analysis, posture management, and configuration of those identities with the runtime activity of those identities in the environment.

监视和跟踪直接和间接访问路径,并监视整个环境中所有身份的活动。
Monitoring and tracking direct and indirect access paths and monitoring the activity of all identities across the environment.

编排跨身份提供者、IaaS、PaaS、SaaS和CI/CD应用程序的多环境身份跟踪和检测,以跟踪身份在环境中的任何位置。
Orchestrating multi-environment identity-tracking and detections that span identity providers, IaaS, PaaS, SaaS, and CI/CD applications to follow the identity wherever they go in the environment.

多环境高保真检测和响应,使组织能够在整个攻击面出现身份威胁时采取行动,而不是对基于单个事件的大容量原子警报做出反应。
Multi-environment high-fidelity detection and response that enables organizations to take action on identity threats as they manifest across the entire attack surface, rather than reacting to high-volume, atomic alerts based on single events.

有关ITDR功能的完整列表,您可以访问完整的身份威胁检测和响应解决方案指南。
For a full list of ITDR capabilities, you can access the full Identity Threat Detection and Response Solution Guide.

身份威胁用例#
Identity Threat Use Cases#

为了有效地防范身份攻击,组织必须选择具有高级功能的ITDR解决方案来检测和减轻攻击。
To effectively safeguard against identity attacks, organizations must choose an ITDR solution with advanced capabilities to detect and mitigate attacks.

这些功能应该解决人类和非人类身份的一系列用例,包括但不限于:
These capabilities should address a range of use cases for both human and non-human identities, including but not limited to:

帐户接管检测:检测表明身份已被泄露的众多变体中的任何一种。
Account Takeover Detection: Detect any of the numerous variants that indicate an identity has been compromised.

凭据泄露检测:识别并警告环境中使用被盗或泄露的凭据。
Credential Compromise Detection: Identify and alert on the use of stolen or compromised credentials within the environment.

特权升级检测:检测在系统和应用程序中未经授权升级特权的尝试。
Privilege Escalation Detection: Detect unauthorized attempts to escalate privileges within systems and applications.

异常行为检测:监视可能指示恶意活动的偏离正常用户行为。
Anomalous Behavior Detection: Monitor for deviations from normal user behavior that may indicate malicious activity.

内部威胁检测:识别并响应内部用户的恶意或疏忽行为。
Insider Threat Detection: Identify and respond to malicious or negligent actions by internal users.

一组研究人员详细介绍了传输层安全(TLS)协议中的一个新的定时漏洞,该漏洞可能允许攻击者在特定条件下破坏加密并读取敏感通信。
这种服务器端攻击被称为“浣熊攻击”,它利用加密协议(1.2及更低版本)中的一个侧通道来提取用于双方之间安全通信的共享密钥。
研究人员在一篇论文中解释了他们的发现:“这个侧信道的根本原因是TLS标准鼓励对DH秘密进行非恒定时间的处理。”如果服务器重用临时密钥,这个侧通道可能允许攻击者通过解决隐藏数字问题的实例来恢复预主密钥。
然而,学者们表示,该漏洞很难被利用,并且依赖于非常精确的时间测量和特定的服务器配置来利用。
泄露密钥的定时攻击#
使用时间度量来破坏密码系统并泄漏敏感信息一直是许多定时攻击的核心,并且浣熊在TLS握手期间对Diffie-Hellman (DH)密钥交换过程采用相同的策略,这对于在公共网络上安全交易数据至关重要。
在交换过程中生成的共享密钥可以确保在互联网上的安全浏览,使用户可以通过保护通信免受窃听和中间人(MitM)攻击来安全访问网站。
为了打破这道安全墙,恶意方记录客户机和服务器之间的握手消息,用它向同一台服务器发起新的握手,然后测量服务器响应派生共享密钥所涉及的操作所需的时间。

ZeroSSL是一家专做SSL安全证书服务的网站,始于2016年,目前用户量已达50万,每月高达100万SSL安全证书签发量。ZeroSSL为每个账号提供3个免费90天的SSL安全证书,可免费续期,支持ACME Certificates自动签发、自动续期。ZeroSSL最大特色是可以免费为纯IP地址申请签发SSL安全证书,其它支持纯IP地址签发的SSL安全证书基本都是要付费的。