[josm-dev] shocking - unsecure password sending!
stefan at binaervarianz.de
stefan at binaervarianz.de
Wed Oct 7 10:22:28 BST 2009
On Wed, 7 Oct 2009 10:56:32 +0200, Pieren <pieren3 at gmail.com> wrote:
> On Wed, Oct 7, 2009 at 10:46 AM, Frederik Ramm
>> Even now someone could create an OSM account with the name
>> "Frederik_Ramm" and use this to vandalise.
>
> I agree with Frederik. The only risk of the plain password over the
> network is that you took the same user name and password as for your
> other applications which is something -I hope- nobody does.
> Securing your login will not secure your contributions.
>
Take it the other way: if the password can be send unancrypted, why do we
need one at all?
Why not give away the map data (that's all we need for JOSM) without
authentication?
Probably to keep track of changes and vadalism and to block or ban users
after such.
So I don't want to be blocked. I don't want to generate new accounts and
loose my statistics and history just because someone messed around
in my name.
That's why I think OAuth is not the answer. It's for giving access to a
subset of data (only map, but not messages), which is quite irrelevant
here.
I don't mind JOSM to read my messages, I mind others to change the map in
my name.
Regards,
Stefan
More information about the josm-dev
mailing list