[josm-dev] shocking - unsecure password sending!
Frederik Ramm
frederik at remote.org
Wed Oct 7 14:48:32 BST 2009
Hi,
Lars Francke wrote:
> If HTTPS is ever offered we have two options (as we do now):
A third option with a non-standard auth token being generated was
discussed in this thread, and that's probably what Stefan was referring to.
> And yes OAuth is implemented for OSM[5].
> [...]
But until HTTPS is offered it doesn't really make sense to
> switch/implement it.
Assuming that all environments are equally unsafe and that the attacker
watches your every step, yes. But if you, like the original poster, are
concerned about your password being sniffed while using a public
network, then OAuth would protect you from that because you do the
unencrypted password authorisation only once, e.g. from home.
Bye
Frederik
More information about the josm-dev
mailing list