[OSM-dev] oAuth vs. SSL

Chris Browet cbro at semperpax.com
Tue Feb 15 01:15:49 GMT 2011


Hi,

I tend to think that oAuth is not a great solution for desktop client vs net
server, and kind of reinventing the wheel vs. SSL.
Key benefit of oAuth are, IMHO, the revoking ability, which is a bit
pointless for a desktop app, and the fact that men-in-the-middle do not know
your credential (also pointless for point-to-point api connection).
Re security, it is certainly better than basic auth but still no match for
script kiddie without HTTPS (see, e.g., firesheep +
http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/)+
.
The only real benefit is to prevent local storage of the password.

Is there a specific reason why HTTPS is not enabled for the API and/or
osm.org?

- Chris -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/dev/attachments/20110215/765632ba/attachment.html>


More information about the dev mailing list