[josm-dev] shocking - unsecure password sending!
Lars Francke
lars.francke at gmail.com
Wed Oct 7 15:02:24 BST 2009
>> If HTTPS is ever offered we have two options (as we do now):
>
> A third option with a non-standard auth token being generated was discussed
> in this thread, and that's probably what Stefan was referring to.
I must have overlooked that. In that case I'm sorry Stefan, seems as
if _I_ was the one misunderstanding you after all.
But I'd vehemently object another (custom/non-standard) token
mechanism to be implemented for OSM. OAuth is 'battle proven' and it
is very hard to do these things right.
>> And yes OAuth is implemented for OSM[5]. [...]
>
> But until HTTPS is offered it doesn't really make sense to
>>
>> switch/implement it.
>
> Assuming that all environments are equally unsafe and that the attacker
> watches your every step, yes. But if you, like the original poster, are
> concerned about your password being sniffed while using a public network,
> then OAuth would protect you from that because you do the unencrypted
> password authorisation only once, e.g. from home.
That is of course correct and I hadn't thought of that before. Thanks,
good idea! In that case I hope someone feels like implementing OAuth
for JOSM right now :)
Lars
More information about the josm-dev
mailing list