[josm-dev] shocking - unsecure password sending!
Tobias Wendorff
tobias.wendorff at uni-dortmund.de
Thu Sep 24 16:49:43 BST 2009
Hi,
Frederik Ramm schrieb:
> One could use the newly provided OAuth mechanism for authentication.
> This would then not transmit your password but a token; the token
> however would still be transmitted in plain text, would have unlimited
> validity until revoked (just like a password) and would allow anyone who
> sees it to make edits in your name, so this wold fall more unter
> "security by obscurity" than under proper security.
Why not this way:
A token gets gets generated on the database server (or transmitted to
it) and it gets transmitted to the user via HTTPS.
The token will encode the password on the user's side and transmit
it in plaintext to the server. The server will encode it using
the token.
That sounds secure to me and shouldn't slow down any process.
Best regards,
Tobias
More information about the josm-dev
mailing list