[josm-dev] OAuth secure ?
Claudius
claudius.h at gmx.de
Fri Apr 30 10:07:31 BST 2010
Am 29.04.2010 15:40, colliar:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ævar Arnfjörð Bjarmason schrieb:
>> On Thu, Apr 29, 2010 at 12:04, colliar<colliar4ever at aol.com> wrote:
>>> I thought at least with semi-automatic use OAuth was transfering with encryption
>>> ( and should also now with https) , but there is still a warning about no secure
>>> possibility on the wiki.
>>>
>>> Am I wrong or do we need to change this page.
>>
>> The wiki is wrong and needs to be brought up to date.
>
> Does that mean OAuth is now encrypted no matter which methode is used ?
> If so, we should lead the user to use OAuth and to not use the normal login at
> all, anymore.
No, OAuth is not about encryption at all. The inital OAuth setup call
still allows to be listened into and the login+password to be retrieved.
All subsequent API calls won't transmit username+PW but the token
instead, but still the content is transferred unencrypted.
btw. which wiki (article) are you referring to?
Claudius
More information about the josm-dev
mailing list