[OSM-dev] oAuth vs. SSL
Chris Browet
cbro at semperpax.com
Tue Feb 15 01:15:49 GMT 2011
Hi,
I tend to think that oAuth is not a great solution for desktop client vs net
server, and kind of reinventing the wheel vs. SSL.
Key benefit of oAuth are, IMHO, the revoking ability, which is a bit
pointless for a desktop app, and the fact that men-in-the-middle do not know
your credential (also pointless for point-to-point api connection).
Re security, it is certainly better than basic auth but still no match for
script kiddie without HTTPS (see, e.g., firesheep +
http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/)+
.
The only real benefit is to prevent local storage of the password.
Is there a specific reason why HTTPS is not enabled for the API and/or
osm.org?
- Chris -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/dev/attachments/20110215/765632ba/attachment.html>
More information about the dev
mailing list