[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
Matt Amos
zerebubuth at gmail.com
Sat Dec 26 02:17:29 GMT 2009
On Sat, Dec 26, 2009 at 1:46 AM, John Smith <deltafoxtrot256 at gmail.com> wrote:
> 2009/12/26 Matt Amos <zerebubuth at gmail.com>:
>> because OAuth does cryptographic signing of the requests.
>
> Via a clear channel, which can be proxied and mangled and so on.
proxied yes, mangled no. the cryptographic signature which OAuth
performs allows the server to detect if the request was modified
en-route and it will reject it if so.
OAuth isn't a substitute for SSL, but it is a substitute for passwords
which means that requests are secure and your password doesn't go in
the clear. to securely create an OAuth token we need SSL, but Tom has
already said that's on his todo list.
cheers,
matt
More information about the talk
mailing list