[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
Matt Amos
zerebubuth at gmail.com
Sat Dec 26 01:25:59 GMT 2009
On Sat, Dec 26, 2009 at 12:30 AM, John Smith <deltafoxtrot256 at gmail.com> wrote:
> 2009/12/26 John Smith <deltafoxtrot256 at gmail.com>:
>> 2009/12/26 Matt Amos <zerebubuth at gmail.com>:
>>> On Fri, Dec 25, 2009 at 9:38 AM, John Smith <deltafoxtrot256 at gmail.com> wrote:
>>>> I don't think OAuth is a valid security method.
>>>
>>> why not?
>>
>> If you hadn't snipped my email you would have read the answer.
i didn't see anything in the rest of your email(s) germane to OAuth,
which is why i snipped that bit.
> Unless cryptography is involved how do you know your packets aren't
> being intercepted and proxied and altered in transit?
because OAuth does cryptographic signing of the requests.
> Sure OSM isn't much of a target at present, however the more popular
> that something becomes the more likely it is to be attacked as well.
OSM is already being attacked by some vandals and some spam bots. but
none of these attacks have been against the authentication parts of
OSM.
cheers,
matt
More information about the talk
mailing list