[OSM-dev] API suggestion - "authorise"?
Thomas Walraet
thomas at walraet.com
Sat Nov 17 14:45:08 GMT 2007
Nick Whitelegg wrote:
>
> One guy emailed me privately recommending I shouldn't do this sort of thing
> (i.e. take login details on my site then forward them to OSM) for security
> reasons though I have to admit that despite not being a security expert I'm
> not convinced - I don't really see a major problem with it, no more than
> using non-HTTPS communication in general (and OSM doesn't currently use
> HTTPS).
The problem with this sort of thing is that you can log the user login
and plain password. Ok, you don't do it, but you can. And someone who
break into your server can.
We can argue that osm password is not a vital information. All we can
fear if passwords are stolen is vandalism, which could be done without
stealing passwords...
But users use the same password everywhere, so OSM password is something
important. And they should not be accustomed of giving their password as
a normal thing... Some "social network" website ask your gmail account
password for "automatic invitation". It's a bad thing.
Maybe the guy who emailed you is Mordac. See yesterday and today's
Dilbert strips :
http://www.dilbert.com/comics/dilbert/archive/dilbert-20071116.html
http://www.dilbert.com/comics/dilbert/archive/dilbert-20071117.html
My opinion is that this sort of thing shouldn't be done. But in your
case the warning you put on the login page is ok, and much more simple
than a login system with tickets as CAS. (or OpenId ?)
More information about the dev
mailing list