[josm-dev] shocking - unsecure password sending!
stefan at binaervarianz.de
stefan at binaervarianz.de
Wed Oct 7 14:06:10 BST 2009
On Wed, 7 Oct 2009 14:23:41 +0200, Lars Francke <lars.francke at gmail.com>
wrote:
>> It could result in an upload session takeover.
>> It depends on the implementation if these tokens are valid for things
>> other
>> than map data upload.
>
> If you are taking about OAuth tokens I can only reiterate that these
> tokens alone are not helpful at all. One has to know the token secret,
> too. And that has to be transmitted only once from the server to the
> client. Every subsequent request is signed using this secret. So if
> one is concerned about the CPU resources it would suffice to use SSL
> for the authentication process if OAuth is used. No upload session can
> be taken over without knowing the secret. In other words: You can
> announce your token to the world if you wish and the process would
> still be secure.
>
No, I meant the tokens which would be used if authentication is done with
https and
data transmission without. Somehow these two parts have to be connected, a
token transfered
with the authentication would be one solution.
This token could be intercepted and used to send unauthenticated map data,
but only as long as the session lasts.
Stefan
More information about the josm-dev
mailing list