[josm-dev] shocking - unsecure password sending!

Karl Guggisberg karl.guggisberg at guggis.ch
Wed Oct 7 07:09:52 BST 2009 

> Probably right although I'm sure a way can be found to save the user from having to cut+paste the token.
I'm afraid, it can't. If JOSM was a web application, it would be part of the OAuth protocol that the OSM 
website "calls back" JOSM with the request token. For a java rich client this is isn't possible. 

But wait a minute, don't we a have a remote control plugin which is "called back" by the OSM web site? Yes, sort of. 
We would need
- the OSM page which generates the request token to include a link
  <a href="http://localhost:8888/oauth-request-token>Click to import the request token into JOSM</a>
- JOSM to listen on port 8888 for such requests (similar to the remote plugin)

This would be slightly less complicated from the users point of view but it's still not seamless. 
The user explicitly has to click on the link. 

-- Karl 

-----Ursprüngliche Nachricht-----
Von: Frederik Ramm [mailto:frederik at remote.org] 
Gesendet: Mittwoch, 7. Oktober 2009 01:51
An: karl.guggisberg at guggis.ch
Cc: josm-dev at openstreetmap.org
Betreff: Re: [josm-dev] shocking - unsecure password sending!

Hi,

Karl Guggisberg wrote:
> I think that people would be disappointed if one explained them how OAuth would work from JOSM.
> My understanding is, that it would work along the following steps: 

Probably right although I'm sure a way can be found to save the user from having to cut+paste the token.

> The request token can be saved in the JOSM-profile (agreed, that this 
> avoids having userid/password unencrypted in the profile) and it will 
> be used to get another access token the next time JOSM is started, but using OAuth doesn't protect us from sending uid/password in cleartext over the net.

The difference is that since the token is valid forever, the unencrypted transfer of username and password will take place only once, and not with every request. (Requests would still contain the unencrypted token which would allow others to make edits in your name though.)

But as I said before, I don't currently consider OSM accounts to be a valuable asset. I have many of them and should one be compromised then I'll create another. Any account created anonymously from the web page has the same privileges as my account so why should a hacker bother to hijack my account when he can just sign up for one? Thus I think the whole security question is more a kind of knee-jerk security paranoia thing than a real concern. (And anyone who cares so little about security that he uses the same password for OSM that he uses elsewhere does not really deserve that we make an effort to protect his data, does
he?)

This would however change if OSM accounts had special privileges. If my account could to things that yours cannot then that might make a difference.

Bye
Frederik

--
Frederik Ramm  ##  eMail frederik at remote.org  ##  N49°00'09" E008°23'33"

More information about the josm-dev mailing list