[josm-dev] shocking - unsecure password sending!

Karl Guggisberg karl.guggisberg at guggis.ch
Tue Oct 6 18:11:04 BST 2009 

I think that people would be disappointed if one explained them how OAuth would work from JOSM.
My understanding is, that it would work along the following steps: 

1. User starts JOSM and clicks on "Sign In" 

2. JOSM displays an internal, modal window saying
   "We now launch a Web Browser. Please follow the instructions you are given there. At the end
    a so called request token will be generated for you. Please copy/paste it in the text field
    below and click 'Authorize' "
   (did I mention that the window includes a text field and a button "Authorize"?)

2. An external (or internal) Web Browser is launched. It shows  the normal www.openstreetmap.org
   login sreen. The user has to login with his user id/passwort. Since OSM still doesn't support HTTPS,
   neither for the login page nor for any other page, and since it only supports the Basic Auth schem,
   not digest authentication, the user id and the password are transferred in cleartext over the net,
   in exactly the same way JOSM transfers it today. 

4. The user follows the steps required by OAuth, gets a request token, copies it, and pastes it to
   the field it JOSM. Then he clicks 'Authorize'.

5. JOSM requsts an access token from OSM and uses it in subsequent calls. 

The request token can be saved in the JOSM-profile (agreed, that this avoids having userid/password 
unencrypted in the profile) and it will be used to get another access token the next time JOSM
is started, but using OAuth doesn't protect us from sending uid/password in cleartext over the net.

Not much of a improvement, IMHO. Or do you I miss something?

Regards
Karl 


-----Ursprüngliche Nachricht-----
Von: josm-dev-bounces at openstreetmap.org [mailto:josm-dev-bounces at openstreetmap.org] Im Auftrag von Valent Turkovic
Gesendet: Dienstag, 6. Oktober 2009 09:56
An: josm-dev at openstreetmap.org
Betreff: Re: [josm-dev] shocking - unsecure password sending!

On Sat, 26 Sep 2009 13:49:00 +0000, Ævar Arnfjörð Bjarmason wrote:

> On OSM.org you can give out tokens that allow the holder to *only* 
> edit the map data. As opposed to also getting access to your private 
> GPX tracks, making diary entries / comments etc.
> 
> So transfering plaintext OAuth tokens would be more secure as in the 
> event of a breach the access the attacker would gain to OSM.org in 
> your name would at least be compartmentalized.
> 
> Not to mention that the OAuth token would *only* work on OSM.org 
> whereas users are likely to supply the same email/password pair for 
> multiple websites that they're using.

This definitely sounds like a step forward in the right direction. This seams like a nice feature to secure users account, and you are right, this would be much better than nothing.


--
pratite me na twitteru - www.twitter.com/valentt http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic


_______________________________________________
josm-dev mailing list
josm-dev at openstreetmap.org
http://lists.openstreetmap.org/listinfo/josm-dev

More information about the josm-dev mailing list