[OSM-dev] oAuth vs. SSL

Tom Hughes tom at compton.nu
Tue Feb 15 04:48:30 GMT 2011

On 15/02/11 14:15, Chris Browet wrote:

> I tend to think that oAuth is not a great solution for desktop client vs
> net server, and kind of reinventing the wheel vs. SSL.
> Key benefit of oAuth are, IMHO, the revoking ability, which is a bit
> pointless for a desktop app, and the fact that men-in-the-middle do not
> know your credential (also pointless for point-to-point api connection).

...and that the application doesn't have to know your password!

> Re security, it is certainly better than basic auth but still no match
> for script kiddie without HTTPS (see, e.g., firesheep
> +http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/)+.
> The only real benefit is to prevent local storage of the password.

That and the possibility that the application author might sneakily send 
them all to somewhere on the internet for later exploitation.

> Is there a specific reason why HTTPS is not enabled for the API and/or
> osm.org <http://osm.org>?

SSL is CPU heavy to run on lots of small requests.


Tom Hughes (tom at compton.nu)

More information about the dev mailing list