[josm-dev] shocking - unsecure password sending!
stefan at binaervarianz.de
stefan at binaervarianz.de
Wed Oct 7 13:07:26 BST 2009
On Wed, 07 Oct 2009 12:05:45 +0200, Ulf Lamping
<ulf.lamping at googlemail.com>
wrote:
> Jonathan Bennett schrieb:
>> stefan at binaervarianz.de wrote:
>>> Could someone kindly recap why good old HTTPS is not an option?
>>
>> A certificate costs $400 per year, that's why.
HTTPS can be done with certificates free of charge, as well as self signed
certificates as well as without certificates at all.
The original question asked for encryption, not authentication.
> HTTPS for a number of connections more than a few costs significant CPU
> time that probably is better spend elsewhere.
>
Ok, that is a reason.
But OAuth also needs to sign tokens and check signatures, which is
essentially an encryption operation.
Is there really that much difference, especially if only the
username/password is transfered via https?
On Wed, 07 Oct 2009 11:53:11 +0200, Frederik Ramm <frederik at remote.org>
wrote:
> Why would someone mess around in your name? What is your name anyway, I
> mean, there are 160.000 user names and nobody knows which one of them is
> yours.
Nobody nows 'me', as I haven't published any personal information.
My 'name' refers to the username used to make diary entrys, make changes in
the map data and upload tracks.
A username/password authentication for most people just implies a kind of
security which is not garanteed by the implemantation.
I'm easily able to make edits, delete tracks and write diary entries in the
name of other people as long as I 'm able to catch a JOSM authentication
packet.
I don't think all useres are aware of or even asume that.
Regards,
Stefan
More information about the josm-dev
mailing list