Skip to main content

happy-halloween-wikid-releases-https-mutual

Happy Halloween!

WiKID is pleased to announce the alpha release of a major feature upgrade under the GPL featuring a cryptographic method of mutual authentication for web sites:

WiKID-2.1: SOMETHING_WiKID_THIS_WAY_COMES

It is being released as a patch to the 2.01 server release. The system works this way: Each WiKID domain can now include a 'registered URL' field and a hash of that website's SSL certificate. When a user wants to log onto a secure web site, they start the WiKID token and enter their PIN. The PIN is encrypted and sent to the WiKID server along with a one-time use AES key and the registered URL. The server responds with a hash of the website's SSL certificate. The token client fetches the SSL certificate of the website and compares it the hash. If the hashes don't match, the user gets a warning message along with the OTP. If they match, the user is presented with registered URL and the passcode. On supported systems, the token client will launch the default browser to the registered URL.

We are currently seeking testers for this early release. You do not need to set up a WiKID server to test. We have set up a WiKID server for you. Testers will need to download the latest J2SE WiKID token from sourceforge. Testing information can be found on the sourceforge forums

Most one-time-password systems suffer from man-in-the-middle attacks primarily due to difficulties users have with validating SSL certificates. The goal of this release is to validate certificates for the end user, providing an SSH-esque security for web-enabled applications such as online banking.
Currently unrated

Recent Posts

Archive

2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom