{"id":8454,"date":"2016-08-29T09:29:22","date_gmt":"2016-08-29T07:29:22","guid":{"rendered":"https:\/\/ihs.com.tr\/blog\/?p=8454"},"modified":"2020-08-12T15:13:23","modified_gmt":"2020-08-12T13:13:23","slug":"ssl-labs-seviyeleri-onemlidir","status":"publish","type":"post","link":"https:\/\/www.ihs.com.tr\/blog\/ssl-labs-seviyeleri-onemlidir\/","title":{"rendered":"SSL Labs Seviyeleri Neden \u00d6nemlidir?"},"content":{"rendered":"

Kriptolama konusunda IT veya bilgi g\u00fcvenli\u011fi alan\u0131 d\u0131\u015f\u0131ndaki kurulu\u015flarda genellikle iki t\u00fcr yakla\u015f\u0131m olur. Uyum, SSL<\/a> Labs ve ye\u015fil adres \u00e7ubu\u011fu ikonu ile ilgili olanlar ve HTTPS kriptolamas\u0131ndan bihaber olanlar. Son zamanlardaysa t\u00fcketiciler de \u015firketler de HTTPS kriptolamaya dayanan hizmetleri ve ortaklar\u0131 tercih etmekte. Daha da \u00f6nemlisi, SSL Labs seviyelendirmesi ve daha agresif ve ayr\u0131nt\u0131l\u0131 taray\u0131c\u0131 uyar\u0131lar\u0131 ve k\u0131s\u0131tlamalar\u0131 gibi ara\u00e7lar bir sitede veya hizmette g\u00fc\u00e7l\u00fc bir kriptolama olup olmad\u0131\u011f\u0131n\u0131 anlama konusunda karar vermeyi iyice basit bir hale getirdi.
\n<\/span><\/p>\n

Bu durumda sormam\u0131z gereken sorula ise \u015funlar: Neden taray\u0131c\u0131lar daha k\u0131s\u0131tlay\u0131c\u0131 bir hal ald\u0131?<\/strong> SSL Labs seviyeleri neden bu kadar \u00f6nemli?<\/span><\/p>\n

Bilgi g\u00fcvenli\u011fi alan\u0131ndaki pek \u00e7ok ki\u015finin felaket tellall\u0131\u011f\u0131na ra\u011fmen, internetin g\u00fcvenlik bak\u0131m\u0131ndan genel gidi\u015fat\u0131 s\u00fcrekli iyi y\u00f6nde. A\u011f katman\u0131 g\u00fcvenli\u011fi iyi anla\u015f\u0131lm\u0131\u015f durumda ve olduk\u00e7a geli\u015fmi\u015f g\u00fcvenlik duvarlar\u0131 kolayca kurulup y\u00f6netilebiliyor. Bunun sonucunda da sald\u0131rganlar sosyal m\u00fchendislik, u\u00e7 nokta k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131 ve uygulama seviyesi a\u00e7\u0131klar\u0131 \u00fczerinden daha zay\u0131f halkalar\u0131 istismar etmek zorunda kal\u0131yor. Uygulama seviyesindeki sald\u0131r\u0131lar\u0131 zorla\u015ft\u0131rmak i\u00e7in kulland\u0131\u011f\u0131m\u0131z ara\u00e7lardan biri HTTPS kriptolama<\/a>. Do\u011fal olarak bu kriptolama sistemi de sald\u0131r\u0131lar\u0131n hedefi halini alm\u0131\u015f durumda.<\/span><\/p>\n

Ge\u00e7ti\u011fimiz 2-3 y\u0131l i\u00e7erisinde HTTPS kriptolaman\u0131n a\u00e7\u0131klar\u0131 \u00e7ok fazlayd\u0131. Heartbleed, BEAST, POODLE, FREAK, LogJam, WeakDH ve DROWN bu k\u0131sa s\u00fcre i\u00e7erisinde ortaya \u00e7\u0131kan say\u0131s\u0131z a\u00e7\u0131ktan ve sald\u0131r\u0131dan yaln\u0131zca birka\u00e7\u0131. \u00c7o\u011fu zaman bu sald\u0131r\u0131lar ve a\u00e7\u0131klar HTTPS kriptolamay\u0131 kald\u0131ran sunucu taraf\u0131ndan kullan\u0131lan \u015fifre paketi g\u00fc\u00e7lendirilerek ortadan kald\u0131r\u0131labilmi\u015fti.<\/span><\/p>\n

\"SSL<\/p>\n

SSL Labs<\/strong> 2009 y\u0131l\u0131nda \u00e7\u0131kt\u0131 ama ad\u0131ndan s\u0131k\u00e7a bahsettirmeye ve kullan\u0131lmaya ba\u015flanmas\u0131 2012 y\u0131l\u0131n\u0131 buldu. BEAST ve CRIME gibi y\u00fcksek profilli SSL<\/a> a\u00e7\u0131klar\u0131n\u0131n ortaya \u00e7\u0131kt\u0131\u011f\u0131 y\u0131l\u0131n 2011 olmas\u0131 da tesad\u00fcf de\u011fildi. SSL Labs Nisan 2012\u2019de SSL Pulse raporlar\u0131n\u0131 yay\u0131nlamaya ba\u015flad\u0131\u011f\u0131ndan beri \u201cA\u201d seviyesindeki site say\u0131s\u0131 %11\u2019den Temmuz 2016 itibar\u0131yla %40\u2019a \u00e7\u0131kt\u0131. Bu da internet g\u00fcvenli\u011fi konusunda d\u00fczenli ve ciddi bir geli\u015fme oldu\u011funun g\u00f6stergesi.<\/span><\/p>\n

Google Chrome, Mozilla Firefox, Apple Safari ve Microsoft Internet Explorer\/Edge gibi web taray\u0131c\u0131lar\u0131 kullan\u0131c\u0131lar\u0131na giderek daha fazla g\u00fcvenlik sunmaya gayret ediyor. Bu taray\u0131c\u0131lar\u0131n g\u00fcvenlik \u00f6zellikleri aras\u0131nda HTTPS ba\u011flant\u0131lar\u0131n\u0131n kontrol edilmesi ve son kullan\u0131c\u0131ya uyar\u0131 mesajlar\u0131 g\u00f6nderilmesi de bulunmakta. Bu sertifika, kriptolama ve protokol uyar\u0131lar\u0131 giderek daha kat\u0131 bir hal ald\u0131 ve web sitelerinin m\u00fc\u015fteri g\u00fcveni olu\u015fturmas\u0131 bak\u0131m\u0131ndan daha do\u011frudan ve g\u00fc\u00e7l\u00fc bir etki yarat\u0131r oldu. SSL Labs ise web sitelerinin taray\u0131c\u0131da nas\u0131l g\u00f6r\u00fcnt\u00fclenece\u011fi konusundaki en \u00f6nemli \u00f6l\u00e7\u00fct halini ald\u0131.<\/span><\/p>\n

Uyum konusu her zaman g\u00fcvenlik anlam\u0131na gelmese de, en son PCI Dijital G\u00fcvenlik Standartlar\u0131 (Digital Security Standards\/DSS) HTTPS tabanl\u0131 ba\u011flant\u0131larda kullan\u0131lan kriptolaman\u0131n geli\u015fimi \u00fczerinde b\u00fcy\u00fck etkiye sahip. 2015 y\u0131l\u0131nda \u00e7\u0131kan PCI DSS<\/a> v3.1 kredi kart\u0131 bilgilerini i\u00e7eren t\u00fcm HTTPS ba\u011flant\u0131lar\u0131nda kriptolama protokol\u00fc olarak Transport Layer Security (TLS) 1.1 veya daha \u00fcst biri s\u00fcr\u00fcm\u00fcn kullan\u0131lmas\u0131n\u0131 \u015fart ko\u015fmu\u015ftu. SSL v3 ve TLS 1.0\u2019dan TLS 1.1+\u2019ya ge\u00e7i\u015fin tamamlanma s\u00fcresi 2018 y\u0131l\u0131na kadar uzat\u0131lm\u0131\u015f olsa da, bir\u00e7ok kurulu\u015f \u015fu an web uygulamalar\u0131n\u0131n bu yeni standartla uyumlu hale gelmesi i\u00e7in har\u0131l har\u0131l \u00e7al\u0131\u015fmakta. SSL Labs seviyelendirme kriterlerine g\u00f6re TLS 1.2\u2019nin desteklenmedi\u011fi durumlarda genel seviye C olarak belirleniyor.<\/span><\/p>\n

TLS protokol versiyonu \u00f6nemli \u00e7\u00fcnk\u00fc bu protokol mevcut \u015fifre paketleri \u00fczerinde etkiye sahip. HTTPS ba\u011flant\u0131lar\u0131n\u0131n gizlili\u011fi hususunda en b\u00fcy\u00fck \u00f6nem ise Perfect Forward Secrecy (PFS) \u015fifrelerine ait. PFS\u2019in gizlili\u011fi nas\u0131l etkiledi\u011fi konusunu basitle\u015ftirmek ad\u0131na, \u015fu me\u015fhur Heartbleed a\u00e7\u0131\u011f\u0131n\u0131 d\u00fc\u015f\u00fcnebilirsiniz. Heartbleed<\/strong> a\u00e7\u0131\u011f\u0131n\u0131n istismar edilmesine dair en b\u00fcy\u00fck korku HTTPS i\u015flemlerini kriptolamak i\u00e7in kullan\u0131lan \u00f6zel anahtar\u0131n sunucu belle\u011finden at\u0131labiliyor olmas\u0131yd\u0131. Bu \u00f6zel anahtar\u0131 eline ge\u00e7iren bir sald\u0131rgan daha \u00f6nceden kaydedilmi\u015f kriptolu i\u015flemlerin kriptosunu a\u00e7abiliyordu. PFS \u015fifreleri k\u0131sa s\u00fcreli veya tek oturumluk \u00f6zel anahtarlar\u0131n kullan\u0131lmas\u0131yla bu etkiyi azaltt\u0131.<\/span><\/p>\n

TLS 1.2 kullan\u0131m\u0131n\u0131n mecburi olmas\u0131yla, daha iyi ve g\u00fc\u00e7l\u00fc \u015fifreler ortaya \u00e7\u0131kt\u0131 ve BEAST veya Heartbleed gibi eski a\u00e7\u0131klar art\u0131k ge\u00e7erlili\u011fini yitirdi. Ne var ki, baz\u0131 eski taray\u0131c\u0131lar\u0131n veya istemci \u00e7e\u015fitlerinin en son \u015fifreleri ve protokolleri desteklemeyebilece\u011fi de unutulmamal\u0131. Bu uyum k\u0131s\u0131tl\u0131l\u0131\u011f\u0131 kimi zaman iyi olabiliyor \u00e7\u00fcnk\u00fc eski ve g\u00fcvensiz taray\u0131c\u0131lar\u0131n kullan\u0131lamamas\u0131na neden oluyor. Kimi zaman ise \u00e7ok b\u00fcy\u00fck veya kritik \u00f6neme sahip son kullan\u0131c\u0131 gruplar\u0131n\u0131 etkileyebiliyor. Bir\u00e7ok web analizi arac\u0131nda bulunan \u00f6zelliklerle taray\u0131c\u0131 ve istemci tiplerini analiz ederek daha modern \u015fifre ve protokol kullan\u0131m\u0131n\u0131n \u015fart k\u0131l\u0131nmas\u0131n\u0131n yaratabilece\u011fi muhtemel etkiyi \u00f6nceden tahmin etmek de m\u00fcmk\u00fcn.<\/span><\/p>\n

Gelece\u011fe bakacak olursak, Apple\u2019\u0131n iOS 9\u2019da App Transport Security (ATS) kullanmaya ba\u015flad\u0131\u011f\u0131n\u0131 ve uygulama geli\u015ftiricilerinin iOS 10\u2019la birlikte ATS kullanmalar\u0131n\u0131 \u015fart ko\u015faca\u011f\u0131n\u0131 biliyoruz. IETF de TLS v1.3 \u00fczerinde s\u0131k\u0131 bir \u015fekilde \u00e7al\u0131\u015f\u0131yor. TLS 1.3\u2019\u00fcn son hali \u00fczerinde baz\u0131 fikir ayr\u0131l\u0131klar\u0131 olsa da, yeni s\u00fcr\u00fcm\u00fcn piyasaya \u00e7\u0131kmas\u0131yla birlikte PFS\u2019in \u00e7ok say\u0131da ki\u015fi ve kurum taraf\u0131ndan kullan\u0131laca\u011f\u0131 kesin. Bu de\u011fi\u015fimlerin yan\u0131 s\u0131ra, HTTP\/2 standard\u0131 da giderek yayg\u0131nla\u015f\u0131yor. HTTPS\/2 yaln\u0131zca HTTPS ve PFS \u015fifrelerini kullan\u0131yor. Bu kat\u0131 kriptolama \u015fartlar\u0131na ra\u011fmen, HTTP\/2\u2019nin HTTP\/1.0 ve HTTP\/1.1\u2019e g\u00f6re daha verimli ve h\u0131zl\u0131 olmas\u0131 bu standard\u0131n giderek daha yayg\u0131n bir \u015fekilde kullan\u0131lmas\u0131na neden olmu\u015f durumda.<\/span><\/p>\n

\u00d6zetle, g\u00fcvenlik ticari kurulu\u015flar i\u00e7in \u00f6nemli bir rekabet unsuru halini ald\u0131. SSL Labs ve taray\u0131c\u0131 uyar\u0131lar\u0131 gibi ara\u00e7lar HTTPS\u2019in nas\u0131l kullan\u0131ld\u0131\u011f\u0131 konusundaki g\u00f6r\u00fcn\u00fcrl\u00fc\u011f\u00fc ve fark\u0131ndal\u0131\u011f\u0131 artt\u0131rd\u0131. \u015eirketlerin HTTPS kriptolama \u00fczerinden rakiplerine kar\u015f\u0131 avantaj elde edebilmeleri i\u00e7in, bilgi g\u00fcvenli\u011finden uygulama geli\u015ftirmeye, altyap\u0131dan operasyonlara kadar t\u00fcm teknoloji ekipleriyle birlikte \u00e7al\u0131\u015farak HTTPS\u2019in e-ticaret sistemlerinin performans\u0131n\u0131 veya kullan\u0131labilirli\u011fini etkilememesini sa\u011flamalar\u0131 gerekmekte. \u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Kriptolama konusunda IT veya bilgi g\u00fcvenli\u011fi alan\u0131 d\u0131\u015f\u0131ndaki kurulu\u015flarda genellikle iki t\u00fcr yakla\u015f\u0131m olur. Uyum, SSL Labs ve ye\u015fil adres \u00e7ubu\u011fu ikonu…<\/p>\n","protected":false},"author":3,"featured_media":8456,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,400],"tags":[],"class_list":["post-8454","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-haberler","category-ssl-sertifikasi"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=8454"}],"version-history":[{"count":5,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8454\/revisions"}],"predecessor-version":[{"id":13649,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8454\/revisions\/13649"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media\/8456"}],"wp:attachment":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=8454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=8454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=8454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}