[josm-dev] shocking - unsecure password sending!
Frederik Ramm
frederik at remote.org
Thu Sep 24 12:49:45 BST 2009
Hi,
Valent Turkovic wrote:
> I was using JOSM only to download some data, and I wasn't aware that JOSM
> sends login data even when it is only downloading data and not sending.
It should not do that. But you are right - it does indeed send an
"Authorization" header when it does the "capabilities" XML request. This
is completely unnecessary.
Frankly I do not understand why the capabilities request has that header
and the map request doesn't.
> The real shock was that my username and password were being send via
> clear text.
Well, at least it was base64 encoded ;-)
> Can JOSM use https or some other secure way of logging into OSM?
No, because the API does not support https (supporting https would
probably come at a considerable speed penalty especially if nut using
changeset uploads).
One could use the newly provided OAuth mechanism for authentication.
This would then not transmit your password but a token; the token
however would still be transmitted in plain text, would have unlimited
validity until revoked (just like a password) and would allow anyone who
sees it to make edits in your name, so this wold fall more unter
"security by obscurity" than under proper security.
Bye
Frederk
More information about the josm-dev
mailing list