[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
John Smith
deltafoxtrot256 at gmail.com
Sat Dec 26 02:25:01 GMT 2009
2009/12/26 Matt Amos <zerebubuth at gmail.com>:
> On Sat, Dec 26, 2009 at 1:46 AM, John Smith <deltafoxtrot256 at gmail.com> wrote:
>> 2009/12/26 Matt Amos <zerebubuth at gmail.com>:
>>> because OAuth does cryptographic signing of the requests.
>>
>> Via a clear channel, which can be proxied and mangled and so on.
>
> proxied yes, mangled no. the cryptographic signature which OAuth
> performs allows the server to detect if the request was modified
> en-route and it will reject it if so.
I should have been clear, I didn't mean it would be accepted I meant
it might get mangled and be unusable:
http://www.theregister.co.uk/2009/12/23/vodafone_christmas/
The problem is that the WAP APN, while it is packet based and offers
the same speed, doesn't provide unfettered internet access. It routes
everything through Vodafone's Novarra-supplied gateway which mangles
content and puts additional adverts navigation features into web
pages. Those wanting to run their own instant messaging client, or
applications that use HTTP transport and don't want it mangled, need
to switch to the "Contract Internet" APN, which won't be free next
week.
> OAuth isn't a substitute for SSL, but it is a substitute for passwords
Nuff said.
More information about the talk
mailing list