[josm-dev] shocking - unsecure password sending!
Ľubomír Varga
luvar at plaintext.sk
Tue Oct 6 18:31:01 BST 2009
I think that secure mechanism are today here and are a little bit standard
(ssl, https). Why dont use them? If osm.org dont want to play with
certificates, or to have some cpu power burned for ssl, I think that this
problem isnt't josm problem.
Imho osm.org should introduce some https page, where josm software could get
pass token for some time period. This change of username+passwd for token,
will be crypted (one https page). Other request will be http (no cpu burned
for ssl) and will use token. This is second version how to get secured. First
is to introduce https over all requests and imho should be implemented.
This thread is from my point of wiev just waste of time and some Oauth, etc,
would be also waste of time.
This is my opinion, Iam a little bit paranoid in IT world, but I dont have any
want (in meaning of "have to be") for secured osm.
Does anyone know what opinion does hava osm core group?
On Tuesday 06 October 2009 19:11:04 Karl Guggisberg wrote:
> I think that people would be disappointed if one explained them how OAuth
> would work from JOSM. My understanding is, that it would work along the
> following steps:
>
> 1. User starts JOSM and clicks on "Sign In"
>
> 2. JOSM displays an internal, modal window saying
> "We now launch a Web Browser. Please follow the instructions you are
> given there. At the end a so called request token will be generated for
> you. Please copy/paste it in the text field below and click 'Authorize' "
> (did I mention that the window includes a text field and a button
> "Authorize"?)
>
> 2. An external (or internal) Web Browser is launched. It shows the normal
> www.openstreetmap.org login sreen. The user has to login with his user
> id/passwort. Since OSM still doesn't support HTTPS, neither for the login
> page nor for any other page, and since it only supports the Basic Auth
> schem, not digest authentication, the user id and the password are
> transferred in cleartext over the net, in exactly the same way JOSM
> transfers it today.
>
> 4. The user follows the steps required by OAuth, gets a request token,
> copies it, and pastes it to the field it JOSM. Then he clicks 'Authorize'.
>
> 5. JOSM requsts an access token from OSM and uses it in subsequent calls.
>
> The request token can be saved in the JOSM-profile (agreed, that this
> avoids having userid/password unencrypted in the profile) and it will be
> used to get another access token the next time JOSM is started, but using
> OAuth doesn't protect us from sending uid/password in cleartext over the
> net.
>
> Not much of a improvement, IMHO. Or do you I miss something?
>
> Regards
> Karl
>
>
> -----Ursprüngliche Nachricht-----
> Von: josm-dev-bounces at openstreetmap.org
> [mailto:josm-dev-bounces at openstreetmap.org] Im Auftrag von Valent Turkovic
> Gesendet: Dienstag, 6. Oktober 2009 09:56
> An: josm-dev at openstreetmap.org
> Betreff: Re: [josm-dev] shocking - unsecure password sending!
>
> On Sat, 26 Sep 2009 13:49:00 +0000, Ævar Arnfjörð Bjarmason wrote:
> > On OSM.org you can give out tokens that allow the holder to *only*
> > edit the map data. As opposed to also getting access to your private
> > GPX tracks, making diary entries / comments etc.
> >
> > So transfering plaintext OAuth tokens would be more secure as in the
> > event of a breach the access the attacker would gain to OSM.org in
> > your name would at least be compartmentalized.
> >
> > Not to mention that the OAuth token would *only* work on OSM.org
> > whereas users are likely to supply the same email/password pair for
> > multiple websites that they're using.
>
> This definitely sounds like a step forward in the right direction. This
> seams like a nice feature to secure users account, and you are right, this
> would be much better than nothing.
>
>
> --
> pratite me na twitteru - www.twitter.com/valentt
> http://kernelreloaded.blog385.com/ linux, blog, anime, spirituality,
> windsurf, wireless registered as user #367004 with the Linux Counter,
> http://counter.li.org. ICQ: 2125241, Skype: valent.turkovic
>
>
> _______________________________________________
> josm-dev mailing list
> josm-dev at openstreetmap.org
> http://lists.openstreetmap.org/listinfo/josm-dev
>
>
> _______________________________________________
> josm-dev mailing list
> josm-dev at openstreetmap.org
> http://lists.openstreetmap.org/listinfo/josm-dev
--
Odborník na všetko je zlý odborník. Ja sa snažím byť výnimkou potvrdzujúcou
pravidlo.
More information about the josm-dev
mailing list