Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:54 am

View unanswered posts | View active topics


Board index » Yubico Software » Web Service Client Software

All times are UTC + 1 hour




Post new topic Reply to topic  Page 2 of 2
  [ 17 posts ]  Go to page Previous  1, 2
  Print view Previous topic | Next topic 
Author Message
network-marvels
PostPosted: Wed Feb 24, 2010 6:48 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Checking the hash is optional. However, Yubico recommend all production deployments use either API key or HTTPS to secure the OTP validation communication.
Top
 Profile  
Reply with quote  

Share On:
Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

crash893
PostPosted: Thu Feb 25, 2010 7:55 pm 
Offline

Joined: Tue Feb 16, 2010 10:08 pm
Posts: 12
bump
Top
 Profile  
Reply with quote  
crash893
PostPosted: Fri Feb 26, 2010 9:13 pm 
Offline

Joined: Tue Feb 16, 2010 10:08 pm
Posts: 12
.


Last edited by crash893 on Tue Mar 02, 2010 3:48 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
crash893
PostPosted: Tue Mar 02, 2010 3:47 pm 
Offline

Joined: Tue Feb 16, 2010 10:08 pm
Posts: 12
.
Top
 Profile  
Reply with quote  
darkfader
PostPosted: Tue Jun 22, 2010 12:17 am 
Offline
User avatar

Joined: Sun May 02, 2010 10:11 pm
Posts: 8
https instead of hmac verificiation is secure enough and more easy.
But anyway, check this attachment for some hmac verification code I wrote quickly if you want to implement it anyway.
Just make sure the API key is securely stored on your server! There is no way telling if someone forged an 'OK' status if they aquired this key.
Top
 Profile  
Reply with quote  
bwong
PostPosted: Fri Jan 20, 2012 7:54 pm 
Offline

Joined: Fri Jan 20, 2012 7:52 pm
Posts: 1
I'm confused is the generated Client ID the AuthID?
Top
 Profile  
Reply with quote  
Fredrik-at-Yubico
PostPosted: Tue Mar 06, 2012 11:06 am 
You are basically right, but supporting signing the request even when SSL is used has the advantage of letting the server identify the client.

YubiCloud currently does not make use of this, but it could become important in the future to mitigate DoS attacks against the service.

Also, using HMAC signatures to validate the servers response could perhaps feel better than trusting your typical list of 100+ trusted SSL CAs. Not that you would necessarily be using such a list for validating the YubiCloud servers SSL certificates, but...

/Fredrik
Top
  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 2 of 2
  [ 17 posts ]  Go to page Previous  1, 2

Board index » Yubico Software » Web Service Client Software

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group