[josm-dev] shocking - unsecure password sending!
lars.francke at gmail.com
Wed Oct 7 16:25:25 BST 2009
> - signing and checking a signature is essentally encrypting and
> decrypting (CPU?), but with less data
Indeed. But as far as I know HMAC-SHA1 is reasonably quick and
shouldn't be a performance hit. Even more so because it needs to be
done only once for each 'consumer' (JOSM in this case).
> - even OAuth relies on certificates for authentication of peers
> (once, in the request process), but it's optional
I've never heard anyone doing this with OAuth and as you say it's
optional. So it shouldn't be a problem :)
> - it's protecting data which doesn't need to be protected (map data)
I don't understand this one? Only certain requests require
authentication with the API. Requests modifying map data for example.
And in my opinion those should be protected.
> Also a last question remains, at least for me: If the Access Token is
> valid for a long time, and also the Token secret doesn't change and
> only the Token is signed and not the data, what prevents replay
> attacks with changed data?
> PS: Yes I admit, doing a selective HTTPS with unencrypted data and a
> new form of token is more like a non-standard OAuth
> than a true HTTPS. So it's probably better to fiddle with OAuth,
> especially if it's partly implemented already.
We won't need any 'fiddling' - it is already implemented _and_ usable.
We can only make it _more secure_ by using HTTPS for certain steps and
by switching to OAuth 1.0a. But I think that's what you meant :)
More information about the josm-dev