[josm-dev] shocking - unsecure password sending!
lars.francke at gmail.com
Wed Oct 7 13:23:41 BST 2009
> It could result in an upload session takeover.
> It depends on the implementation if these tokens are valid for things other
> than map data upload.
If you are taking about OAuth tokens I can only reiterate that these
tokens alone are not helpful at all. One has to know the token secret,
too. And that has to be transmitted only once from the server to the
client. Every subsequent request is signed using this secret. So if
one is concerned about the CPU resources it would suffice to use SSL
for the authentication process if OAuth is used. No upload session can
be taken over without knowing the secret. In other words: You can
announce your token to the world if you wish and the process would
still be secure.
More information about the josm-dev