[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
deltafoxtrot256 at gmail.com
Sat Dec 26 03:05:04 GMT 2009
2009/12/26 Matt Amos <zerebubuth at gmail.com>:
> which means there's no argument here for using SSL on vodafone.
I have no idea what Voda is up to, because they would throw up all
sorts of warning messages from browsers, even on phones, and users
would complain endlessly. SSL is usually left alone if for no other
reason to prevent custom complaints, but no such browser
errors/warnings occur if html has been messed with.
> indeed. OSM doesn't need SSL for API traffic, it just needs a system
> for secure authentication. and it has one in OAuth.
So people can brute force OAuth credentials?
More information about the talk