Hi, Valent Turkovic wrote: > I was using JOSM only to download some data, and I wasn't aware that JOSM > sends login data even when it is only downloading data and not sending.
It should not do that. But you are right - it does indeed send an "Authorization" header when it does the "capabilities" XML request. This is completely unnecessary. Frankly I do not understand why the capabilities request has that header and the map request doesn't. > The real shock was that my username and password were being send via > clear text. Well, at least it was base64 encoded ;-) > Can JOSM use https or some other secure way of logging into OSM? No, because the API does not support https (supporting https would probably come at a considerable speed penalty especially if nut using changeset uploads). One could use the newly provided OAuth mechanism for authentication. This would then not transmit your password but a token; the token however would still be transmitted in plain text, would have unlimited validity until revoked (just like a password) and would allow anyone who sees it to make edits in your name, so this wold fall more unter "security by obscurity" than under proper security. Bye Frederk _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
