Hi, I tend to think that oAuth is not a great solution for desktop client vs net server, and kind of reinventing the wheel vs. SSL. Key benefit of oAuth are, IMHO, the revoking ability, which is a bit pointless for a desktop app, and the fact that men-in-the-middle do not know your credential (also pointless for point-to-point api connection). Re security, it is certainly better than basic auth but still no match for script kiddie without HTTPS (see, e.g., firesheep + http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/)+ . The only real benefit is to prevent local storage of the password.
Is there a specific reason why HTTPS is not enabled for the API and/or osm.org? - Chris -
_______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/dev
