[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
Matt Amos
zerebubuth at gmail.com
Sat Dec 26 03:30:19 GMT 2009
On Sat, Dec 26, 2009 at 3:05 AM, John Smith <deltafoxtrot256 at gmail.com> wrote:
> 2009/12/26 Matt Amos <zerebubuth at gmail.com>:
>> which means there's no argument here for using SSL on vodafone.
>
> I have no idea what Voda is up to, because they would throw up all
> sorts of warning messages from browsers, even on phones, and users
> would complain endlessly. SSL is usually left alone if for no other
> reason to prevent custom complaints, but no such browser
> errors/warnings occur if html has been messed with.
it seems that SSL isn't being left alone.
>> indeed. OSM doesn't need SSL for API traffic, it just needs a system
>> for secure authentication. and it has one in OAuth.
>
> So people can brute force OAuth credentials?
given sufficiently many signatures, it's possible to brute force a
single token with a very large amount of effort. however, this token
doesn't give sufficient access to either create further tokens or
change users credentials and can be easily revoked. it's also worth
noting that it's possible to brute force SSL certificates, but again,
with a very large amount of effort. in general, it's possible to brute
force everything except one-time pads.
as with any security measure, to minimise your risk you need to be
aware of the security horizon (which will depend on what your attack
profile is) and change your authentication details regularly.
cheers,
matt
More information about the talk
mailing list