[josm-dev] shocking - unsecure password sending!
Matt Amos
zerebubuth at gmail.com
Wed Oct 7 15:57:13 BST 2009
On Wed, Oct 7, 2009 at 2:34 PM, Lars Francke <lars.francke at gmail.com> wrote:
> This is quite technical but it works. I assumed a few things:
> - OSM switches to OAuth 1.0a, Matt Amos is aware of this and I believe
> it will be done eventually. He's done great work so far. I just don't
> know enough about Ruby on Rails
yes. it's on my TODO list. hopefully will come soon, but don't let it
hold anything up - oauth 1.0 isn't as good as 1.0a, but it's still
better than HTTP Basic Auth ;-)
> - The Consumer Key and Consumer Secret provide no additional security
> here as they'd have to be stored in JOSMs source code
there's an alternative here - the josm server could provide this
functionality, performing the OAuth setup and returning just the
access token + secret to the app. this isn't any more secure, but
means that the consumer key and secret do not need to be divulged.
> And yes OAuth is implemented for OSM[5]. I don't know the specifics
> for Java but the whole OAuth process is generally very easy to
> implement for a client. A desktop client like JOSM would require some
> extra steps (redirect to external browser, ...) but it shouldn't be to
> hard. But until HTTPS is offered it doesn't really make sense to
> switch/implement it.
i tried, but the only ready-made OAuth library for java i could find
used a different network stack than the one already used in josm. at
this point i got scared and ran away ;-)
SSL/TLS for the main site has been talked about before and there
should be a admins meeting coming up soon, so i'll see what gets said
there. i think it's unlikely to cover the whole API, but maybe the
login page + OAuth API is enough.
cheers,
matt
More information about the josm-dev
mailing list