[josm-dev] shocking - unsecure password sending!
Stefan Baebler
stefan.baebler at gmail.com
Thu Sep 24 13:18:17 BST 2009
On Thu, Sep 24, 2009 at 1:49 PM, Frederik Ramm <frederik at remote.org> wrote:
> One could use the newly provided OAuth mechanism for authentication.
> This would then not transmit your password but a token; the token
> however would still be transmitted in plain text, would have unlimited
> validity until revoked (just like a password) and would allow anyone who
> sees it to make edits in your name, so this wold fall more unter
> "security by obscurity" than under proper security.
Unless OAuth login page uses SSL (https) the password will be sent in
clear text (not even base64 encoded) before the server issues a token.
It would make sense to use SSL at least for OAuth login and then SSL
doesn't need to be used on the API if tools start authenticating users
via OAuth instead of old basic authentication (which uses base64
encoding instead of real encryption). Of course tokens could be
sniffed as well, so they should be expiring soon (eg after every
session).
Will JOSM be the first to change and offer alternative OAuth authentication? :-)
There are open tickets about ssl and encrypting passwords:
http://trac.openstreetmap.org/ticket/275
http://trac.openstreetmap.org/ticket/106
Stefan
More information about the josm-dev
mailing list