{"id":4885,"date":"2018-04-30T09:57:16","date_gmt":"2018-04-30T06:57:16","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=4885"},"modified":"2019-11-15T14:42:09","modified_gmt":"2019-11-15T11:42:09","slug":"certificates-are-different","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/certificates-are-different\/4885\/","title":{"rendered":"Kime g\u00fcvenmeli: Farkl\u0131 t\u00fcrde SSL sertifikalar\u0131"},"content":{"rendered":"<p>G\u00fcvenli bir ba\u011flant\u0131 \u015fifrelenmi\u015ftir ve bu nedenle g\u00fcvenlidir; korumas\u0131z bir ba\u011flant\u0131 ise g\u00fcvenli de\u011fildir. Basit, de\u011fil mi? Peki ama sertifikalar nereden al\u0131n\u0131yor ve SSL ile TLS aras\u0131nda ne fark var? Hem zaten dijital bir sertifikan\u0131n g\u00fcvenlikle ne ilgisi olabilir ki?<\/p>\n<p>Bu yaz\u0131da, bu sorular\u0131 cevaplamaya ve bununla ilgili di\u011fer baz\u0131 ku\u015fkular\u0131 ortadan kald\u0131rmaya \u00e7al\u0131\u015faca\u011f\u0131z. Ama \u00f6nce taray\u0131c\u0131n\u0131z\u0131n adresi kutusundaki HTTP ve HTTPS\u2019nin ne anlama geldi\u011fine bir bakal\u0131m.<\/p>\n<h2>Veri aktar\u0131m\u0131 i\u00e7in HTTP ve HTTPS<\/h2>\n<p>\u00c7evrimi\u00e7i bir ziyaret\u00e7i bir internet sitesinde yaz\u0131lanlar\u0131 okudu\u011fu ya da buraya bir \u015fey yazd\u0131\u011f\u0131nda, onun bilgisayar\u0131yla o sitenin konak\u00e7\u0131 oldu\u011fu sunucu aras\u0131nda bilgi al\u0131\u015fveri\u015fi olur. Bu s\u00fcre\u00e7 HTTP (Ba\u011flant\u0131l\u0131 Metin Aktar\u0131m Protokol\u00fc) denen bir veri aktar\u0131m\u0131 protokol\u00fcne tabidir.<\/p>\n<p>HTTP\u2019nin bir de HTTPS (G\u00fcvenli Ba\u011flant\u0131l\u0131 Metin Aktar\u0131m Protokol\u00fc) uzant\u0131s\u0131 vard\u0131r G\u00fcvenli s\u00fcr\u00fcmde istemci ile sunucu aras\u0131ndaki bilgi aktar\u0131m\u0131 \u015fifreli bi\u00e7imde yap\u0131l\u0131r, yani istemci ile sunucu aras\u0131nda gidip gelen bilgiler sadece bu ikisine a\u00e7\u0131kt\u0131r, \u00fc\u00e7\u00fcnc\u00fc \u015fah\u0131slar (\u00f6rne\u011fin, Wi-Fi servis sa\u011flay\u0131c\u0131s\u0131 ya da y\u00f6netici) taraf\u0131ndan g\u00f6r\u00fclemez.<\/p>\n<p>\u0130stemciden sunucuya aktar\u0131lan veriler de ayn\u0131 \u015fekilde onun kendi \u015fifreleme protokol\u00fcyle \u015fifrelenmi\u015f olur. Bu ama\u00e7la kullan\u0131lan protokollerin ilki SSL (G\u00fcvenli Yuva Katman\u0131) idi. SSL protokol\u00fcn\u00fcn birka\u00e7 s\u00fcr\u00fcm\u00fc vard\u0131 ve tamam\u0131nda da bir noktadan sonra g\u00fcvenlik sorunlar\u0131 ya\u015fand\u0131. Bunlar\u0131 yenilenmi\u015f ve ad\u0131 de\u011fi\u015ftirilmi\u015f bir s\u00fcr\u00fcm, yani bug\u00fcn hala kullan\u0131lmakta olan TLS (Ta\u015f\u0131ma Katman\u0131 G\u00fcvenli\u011fi) izledi. Ancak, SSL k\u0131saltmas\u0131 de\u011fi\u015fmedi\u011fi i\u00e7in bu yeni s\u00fcr\u00fcm bug\u00fcn hala genellikle eski ad\u0131yla an\u0131l\u0131r.<\/p>\n<p>\u015eifreleme yapabilmek i\u00e7in bir sitenin elinde o \u015fifreleme mekanizmas\u0131n\u0131n g\u00fcvenilir ve protokole uygun oldu\u011funu teyit eden ve dijital imza olarak da bilinen bir sertifika olmal\u0131d\u0131r. HTTPS\u2019deki S harfine ek olarak, bir sitenin elinde b\u00f6yle bir sertifika oldu\u011funu g\u00f6steren di\u011fer bir i\u015faret de taray\u0131c\u0131n\u0131n adres \u00e7ubu\u011funda, yan\u0131nda G\u00fcvenli ibaresi ya da firman\u0131n ad\u0131 yazan k\u00fc\u00e7\u00fck ye\u015fil bir asma kilit (ya da baz\u0131 taray\u0131c\u0131larda bir kalkan) olmas\u0131d\u0131r. Bunun nas\u0131l bir \u015fey oldu\u011funu g\u00f6rmek i\u00e7in hemen \u015fimdi taray\u0131c\u0131 pencerenizin \u00fcst taraf\u0131na bakabilirsiniz; Kaspersky Lab internet sitelerinin tamam\u0131nda HTTPS kullan\u0131l\u0131r.<\/p>\n<h2>Bir site i\u00e7in SSL sertifikas\u0131 nas\u0131l al\u0131n\u0131r<\/h2>\n<p>Bir sertifika alman\u0131n iki yolu vard\u0131r. Bir a\u011f y\u00f6neticisi bu sertifikay\u0131 haz\u0131rlay\u0131p imzalayabilir ve \u015fifreleme anahtarlar\u0131 olu\u015fturabilir. Bu t\u00fcr sertifikalara kendinden imzal\u0131 sertifikalar denir. Siteye girmeye \u00e7al\u0131\u015fan kullan\u0131c\u0131lara sertifikan\u0131n g\u00fcvenilir olmad\u0131\u011f\u0131na dair bir uyar\u0131 mesaj\u0131 g\u00f6sterilir.<\/p>\n<p>Bu t\u00fcr sitelerde, taray\u0131c\u0131n\u0131n t\u00fcr\u00fcne ve hatta ayn\u0131 taray\u0131c\u0131n\u0131n farkl\u0131 s\u00fcr\u00fcmlerine g\u00f6re de\u011fi\u015fmekle beraber, taray\u0131c\u0131 penceresindeki \u00fcst\u00fc \u00e7izilmi\u015f asma kilit, k\u0131rm\u0131z\u0131 kalkan, G\u00fcvenli De\u011fils\u00f6zc\u00fckleri, HTTPS harfleri ye\u015fil de\u011fil k\u0131rm\u0131z\u0131 olur ya da adres \u00e7ubu\u011fundaki HTTPS harfleri \u00fcst\u00fc \u00e7izilmi\u015f ve k\u0131rm\u0131z\u0131yla vurgulanm\u0131\u015ft\u0131r.<\/p>\n<p>Daha iyisi, g\u00fcvenilir bir belgelendirme kurulu\u015funun (CA) imzas\u0131n\u0131 ta\u015f\u0131yan bir sertifika sat\u0131n almakt\u0131r. CA\u2019lar site sahibinin belgelerine ve o alan\u0131 sahiplenme hakk\u0131n\u0131n olup olmad\u0131\u011f\u0131na bakar \u00e7\u00fcnk\u00fc sonu\u00e7ta bir sertifikan\u0131n var olmas\u0131 demek o kayna\u011f\u0131n belli bir b\u00f6lgede tescilli, yasal bir firmaya ait olmas\u0131 demektir.<\/p>\n<p>\u00c7ok say\u0131da CA bulunmakla beraber, birinci s\u0131n\u0131f kurulu\u015flar\u0131n say\u0131s\u0131 bir elin parmaklar\u0131n\u0131 ge\u00e7mez. Bir CA\u2019nin sayg\u0131nl\u0131\u011f\u0131 taray\u0131c\u0131 geli\u015ftiren firmalar\u0131n ona duydu\u011fu g\u00fcvenin derecesini ve onun belgelendirdi\u011fi sitelerin g\u00f6r\u00fcnt\u00fclenme bi\u00e7imini belirler. Bir sertifikan\u0131n fiyat\u0131, t\u00fcr\u00fcne ve ge\u00e7erlilik s\u00fcresine, ayr\u0131ca da CA\u2019nin sayg\u0131nl\u0131\u011f\u0131na g\u00f6re de\u011fi\u015fir.<\/p>\n<h2>SSL sertifikalar\u0131n\u0131n t\u00fcrleri<\/h2>\n<p>CA imzal\u0131 sertifikalar kurulu\u015fun g\u00fcvenilirli\u011fine, sertifikay\u0131 kimlerin ve nas\u0131l alabildi\u011fine ve fiyat\u0131na ba\u011fl\u0131 olarak farkl\u0131 niteliklerdedir.<\/p>\n<p><strong>Alan Do\u011frulama Sertifikalar\u0131<\/strong><\/p>\n<p>Alan Do\u011frulama Sertifikas\u0131 almak isteyen ger\u00e7ek ya da t\u00fczel ki\u015fi ya s\u00f6z konusu alan\u0131n kendisine ait oldu\u011funu ya da y\u00f6netti\u011fi sitenin orada yer ald\u0131\u011f\u0131n\u0131 kan\u0131tlamak zorundad\u0131r. Bu sertifika g\u00fcvenli bir ba\u011flant\u0131 kurulmas\u0131n\u0131 sa\u011flar ama ait oldu\u011fu kurulu\u015fa ait bilgi i\u00e7ermez ve verilmesi i\u00e7in de hi\u00e7bir belge gerekmez. B\u00f6yle bir belgenin al\u0131nmas\u0131 genellikle en \u00e7ok birka\u00e7 dakika s\u00fcrer.<\/p>\n<p><strong>Kurulu\u015f Do\u011frulama Sertifikalar\u0131<\/strong><\/p>\n<p>Bunun daha y\u00fcksek seviyeli s\u00fcr\u00fcmleri Kurulu\u015f Do\u011frulama sertifikalar\u0131 olarak bilinir ve sadece o alanla kurulacak ba\u011flant\u0131n\u0131n g\u00fcvenli oldu\u011funu de\u011fil, ayn\u0131 zamanda o alan\u0131n ger\u00e7ekten de sertifikada belirtilen kurulu\u015fa ait oldu\u011funu teyit eder. B\u00fct\u00fcn belgelerin kontrol edilmesi ve bir sertifikan\u0131n haz\u0131rlanmas\u0131 birka\u00e7 g\u00fcn s\u00fcrebilir. E\u011fer bir sitenin Alan ya da Kurulu\u015f Do\u011frulama Sertifikas\u0131 varsa taray\u0131c\u0131n\u0131n adres \u00e7ubu\u011funda G\u00fcvenli ibaresi ve HTTPS harfleri ile beraber gri ya da ye\u015fil bir asma kilit g\u00f6r\u00fcl\u00fcr.<\/p>\n<p><strong>Geni\u015fletilmi\u015f Do\u011frulama Sertifikalar\u0131<\/strong><\/p>\n<p>Son olarak, \u00fcst d\u00fczey Geni\u015fletilmi\u015f Do\u011frulama Sertifikalar\u0131 gelir. Kurulu\u015f Do\u011frulama Sertifikalar\u0131 gibi bunlar\u0131 da sadece gerekli b\u00fct\u00fcn belgeleri temin eden t\u00fczel ki\u015filer alabilir ve bu sertifika varsa, adres \u00e7ubu\u011funda kurulu\u015fun ad\u0131 ve yeri ye\u015fil renkli g\u00f6r\u00fcl\u00fcr ve yan\u0131nda da ye\u015fil bir asma kilit olur.<\/p>\n<p>Geni\u015fletilmi\u015f Do\u011frulama Sertifikalar\u0131 taray\u0131c\u0131lar\u0131n en g\u00fcvendi\u011fi olman\u0131n yan\u0131 s\u0131ra en pahal\u0131 sertifikalard\u0131r. Burada da, taray\u0131c\u0131ya ba\u011fl\u0131 olarak, kurulu\u015fun ad\u0131na ya da G\u00fcvenli kelimesine t\u0131kland\u0131\u011f\u0131nda sertifika hakk\u0131nda bilgi al\u0131nabilir (kimin taraf\u0131ndan ve ne zaman verildi\u011fi, ge\u00e7erlilik s\u00fcresi).<\/p>\n<h2>Sertifikalarla ilgili sorunlar<\/h2>\n<p>\u00c7evrimi\u00e7i g\u00fcvenlik ve kullan\u0131c\u0131 verilerinin korunmas\u0131 konular\u0131 Google ve Mozilla gibi ba\u015fl\u0131ca taray\u0131c\u0131 geli\u015ftiricilerin politikalar\u0131nda yer verdi\u011fi temel ilkelerdir. \u00d6rne\u011fin, 2017 sonbahar\u0131nda Google bundan b\u00f6yle HTTP ba\u011flant\u0131 kullanan b\u00fct\u00fcn sayfalar\u0131 \u201cG\u00fcvenli de\u011fil\u201d olarak i\u015faretleyip if\u015fa edece\u011fini ve dolay\u0131s\u0131yla kullan\u0131c\u0131lar\u0131n bu t\u00fcr sayfalara eri\u015fiminin engellenece\u011fini <a href=\"https:\/\/threatpost.com\/google-reminding-admins-http-pages-will-be-marked-not-secure-in-october\/127709\/\" target=\"_blank\" rel=\"noopener nofollow\">duyurdu<\/a>.<\/p>\n<p>Google\u2019\u0131n bu ad\u0131m\u0131yla beraber HTTP siteleri g\u00fcvenilir bir sertifika almak zorunda kald\u0131. Bunun sonucunda CA hizmetlerine talep birden artt\u0131, yetkililer belge kontrol\u00fc a\u015famas\u0131n\u0131 h\u0131zland\u0131rmak zorunda kald\u0131 ve bu da kalite kontrol\u00fcn\u00fc olumsuz etkiledi.<\/p>\n<p>Bunun a\u00e7\u0131k bir sonucu da bug\u00fcnlerde g\u00fcvenilir sertifikalar\u0131n ger\u00e7ekte tamamen g\u00fcvenilir olmayan sitelere verilebilmesidir. Google\u2019\u0131n bir <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-outlines-ssl-apocalypse-for-symantec-certificates\/\" target=\"_blank\" rel=\"noopener nofollow\">\u00e7al\u0131\u015fmas\u0131nda<\/a> en b\u00fcy\u00fck ve en sayg\u0131n CA\u2019lardan birinin 30.000\u2019den fazla sertifikay\u0131 ayr\u0131nt\u0131l\u0131 inceleme yapmadan verdi\u011fi ortaya \u00e7\u0131kar\u0131ld\u0131. S\u00f6z konusu CA i\u00e7in bunun sonu\u00e7lar\u0131 a\u011f\u0131r oldu: Google, do\u011frulama sistemi ba\u015ftan a\u015fa\u011f\u0131 elden ge\u00e7irilene ve yeni standartlar getirilene kadar bu kurulu\u015f\u00e7a yay\u0131nlanan hi\u00e7bir sertifikan\u0131n dikkate al\u0131nmayaca\u011f\u0131n\u0131 ifade etti. Mozilla da kendi taray\u0131c\u0131lar\u0131ndaki sertifika do\u011frulamas\u0131n\u0131 <a href=\"https:\/\/www.infoworld.com\/article\/2607698\/security\/mozilla-to-strengthen-ssl-certificate-verification-in-firefox.html\" target=\"_blank\" rel=\"noopener nofollow\">sertle\u015ftirmeyi<\/a> planlamaktad\u0131r.<\/p>\n<p>Tepkilere ra\u011fmen, bir sertifikan\u0131n ve sahibi firman\u0131n ger\u00e7ekli\u011finden tam olarak emin olmak hala m\u00fcmk\u00fcn de\u011fildir. G\u00f6r\u00fcn\u00fc\u015fte t\u00fcm g\u00fcvenlik \u015fartlar\u0131n\u0131 sa\u011flayan bir Geni\u015fletilmi\u015f Do\u011frulama sertifikas\u0131n\u0131n varl\u0131\u011f\u0131 halinde bile, ye\u015fil yaz\u0131ya ko\u015fulsuz bi\u00e7imde g\u00fcvenilemez.<\/p>\n<p>Geni\u015fletilmi\u015f G\u00fcvenlik sertifikas\u0131nda durum i\u00e7ler ac\u0131s\u0131d\u0131r. \u00d6rne\u011fin, kimlik avc\u0131lar\u0131 bir firmay\u0131 tan\u0131nm\u0131\u015f bir \u015firketin ad\u0131na \u015f\u00fcphe uyand\u0131racak kadar benzeyen bir isim alt\u0131nda tescil ettirerek site i\u00e7in Geni\u015fletilmi\u015f G\u00fcvenlik sertifikas\u0131 alabilir. Kimlik avc\u0131s\u0131 internet sitesinin adres \u00e7ubu\u011funda benzer isimli firman\u0131n ad\u0131 g\u00f6r\u00fcnerek inand\u0131r\u0131c\u0131l\u0131k sa\u011flayacakt\u0131r. Bu nedenle kullan\u0131c\u0131lar herhangi bir web sayfas\u0131na girdiklerinde daima uyan\u0131k olmal\u0131 ve a\u015fa\u011f\u0131daki <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/https-does-not-mean-safe\/4636\/\" target=\"_blank\" rel=\"noopener\">rehberlere<\/a> uymal\u0131d\u0131r.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>G\u00fcvenli bir ba\u011flant\u0131 \u015fifrelenmi\u015ftir ve bu nedenle g\u00fcvenlidir; korumas\u0131z bir ba\u011flant\u0131 ise g\u00fcvenli de\u011fildir. Basit, de\u011fil mi? Peki ama sertifikalar nereden al\u0131n\u0131yor ve SSL ile TLS aras\u0131nda ne fark var? Hem zaten dijital bir sertifikan\u0131n g\u00fcvenlikle ne ilgisi olabilir ki?<\/p>\n","protected":false},"author":2455,"featured_media":4887,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[995],"tags":[22,744,595,777,135,794,562,537,1598],"class_list":{"0":"post-4885","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-google","9":"tag-guvenlik","10":"tag-https","11":"tag-internet","12":"tag-mozilla","13":"tag-sifreleme","14":"tag-ssl","15":"tag-tehditler","16":"tag-tls"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/certificates-are-different\/4885\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/certificates-are-different\/13192\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/certificates-are-different\/10999\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/certificates-are-different\/15272\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/certificates-are-different\/13539\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/certificates-are-different\/12798\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/certificates-are-different\/15959\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/certificates-are-different\/15534\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/certificates-are-different\/20227\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/certificates-are-different\/22147\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/certificates-are-different\/10374\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/certificates-are-different\/10851\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/certificates-are-different\/16528\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/certificates-are-different\/20273\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/certificates-are-different\/20158\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/certificates-are-different\/20155\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik\/","name":"G\u00fcvenlik"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2455"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=4885"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4885\/revisions"}],"predecessor-version":[{"id":6945,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/4885\/revisions\/6945"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/4887"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=4885"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=4885"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=4885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}