On 15/02/11 14:15, Chris Browet wrote:
I tend to think that oAuth is not a great solution for desktop client vs net server, and kind of reinventing the wheel vs. SSL. Key benefit of oAuth are, IMHO, the revoking ability, which is a bit pointless for a desktop app, and the fact that men-in-the-middle do not know your credential (also pointless for point-to-point api connection).
...and that the application doesn't have to know your password!
Re security, it is certainly better than basic auth but still no match for script kiddie without HTTPS (see, e.g., firesheep +http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/)+. The only real benefit is to prevent local storage of the password.
That and the possibility that the application author might sneakily send them all to somewhere on the internet for later exploitation.
Is there a specific reason why HTTPS is not enabled for the API and/or osm.org <http://osm.org>?
SSL is CPU heavy to run on lots of small requests. Tom -- Tom Hughes ([email protected]) http://compton.nu/ _______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/dev
