On Thu, Sep 24, 2009 at 1:49 PM, Frederik Ramm <[email protected]> wrote: > One could use the newly provided OAuth mechanism for authentication. > This would then not transmit your password but a token; the token > however would still be transmitted in plain text, would have unlimited > validity until revoked (just like a password) and would allow anyone who > sees it to make edits in your name, so this wold fall more unter > "security by obscurity" than under proper security. Unless OAuth login page uses SSL (https) the password will be sent in clear text (not even base64 encoded) before the server issues a token.
It would make sense to use SSL at least for OAuth login and then SSL doesn't need to be used on the API if tools start authenticating users via OAuth instead of old basic authentication (which uses base64 encoding instead of real encryption). Of course tokens could be sniffed as well, so they should be expiring soon (eg after every session). Will JOSM be the first to change and offer alternative OAuth authentication? :-) There are open tickets about ssl and encrypting passwords: http://trac.openstreetmap.org/ticket/275 http://trac.openstreetmap.org/ticket/106 Stefan _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
