[josm-dev] shocking - unsecure password sending!

[Ľubomír Varga]

Issues with importing certificates to java can be solved by contacting me :-) 
It is simple and if it will be necessary, I could write some tutorial, or 
code part which will be importing/installing certificates.

PS: (very simple explanation) Certificates are stored for example in:
java-6-sun-1.6.0.16/jre/lib/security/cacerts
Importing to it could be done by some java code found on web 
(InstallCert.java), or you can create by that miniprogram some "mycertfile" 
which can be instrued to be used by some properties parameter:
"java -Djavax.net.ssl.trustStore=/var/lib/someProgram/my_java_cert -jar 
someProgram.jar"

On Wednesday 07 October 2009 15:27:36 stefan at binaervarianz.de wrote:
> On Wed, 07 Oct 2009 14:26:37 +0200, Frederik Ramm <frederik at remote.org>
>
> wrote:
> > Hi,
> >
> > I agree that it is possible to get proper certificate for less than $400
> > per year (more like $30 or so). The free and self-signed ones have a
> > tendency to be frowned upon by Sun's Java stack but maybe certificate
> > checking can be disabled somehow?
>
> I don't know about Java problems with free certificates. One has to
> manually import them into browsers
> or personal keychains to use them, but JOSM could handle that gracefully
> for the user.
>
> I think certificates (at least self signed) are mandatory for HTTPS, but
> SSL could be used on its own without any form of authentication.
>
> > Transferring username/password via https and the rest without would
> > require changes to the server which someone would have to code.
>
> Yes, that's a problem. But is OAuth already implemented?
>
> But you have a point:
> Better let someone with ambition code something which doesn't quite fit the
> requirements instead
> of finding the perfect solution and nobody to actually implement it.
> I better calm down on the matter.
>
> >> A username/password authentication for most people just implies a kind
>
> of
>
> >> security which is not garanteed by the implemantation.
> >> I'm easily able to make edits, delete tracks and write diary entries in
> >> the
> >> name of other people as long as I 'm able to catch a JOSM authentication
> >> packet.
> >> I don't think all useres are aware of or even asume that.
> >
> > Of course most users are NOT aware of this, much as they are NOT aware
> > that anyone can sniff out their credit card number when they make a
> > purchase, or read their e-mail when they use an unencrypted W-Lan, or
> > ... it's a cruel world!
> >
> > I have amended the JOSM start page to say that username and password are
> > transmitted unencrypted, and that people should not upload changes if
> > they do not want that.
> >
> > As soon as someone comes along who is willing and able to make the
> > changes to the API, get them rolled out, and modify JOSM accordingly,
> > that note can be removed.
>
> That was wise. OSM could even get in legal trouble if it would somehow
> 'lose'
> some private data. Better tell the user that their data isn't private at
> all.
>
> Regards
>
> Stefan
>
>
>
> _______________________________________________
> josm-dev mailing list
> josm-dev at openstreetmap.org
> http://lists.openstreetmap.org/listinfo/josm-dev

-- 
Odborník na všetko je zlý odborník. Ja sa snažím byť výnimkou potvrdzujúcou 
pravidlo.