Hi,
John Smith wrote:
I just thought of another situation, when sites don't protect users'
privacy someone usually comes up with a firefox extension to protect
their own privacy, in this case you'd generate noise by making a lot
of fake requests for tiles in 2, 3, or even 10 other locations
2009/12/26 Frederik Ramm frede...@remote.org:
Do you now suggest that OSM should encrypt tile access, or do you suggest
OSM should ignore those people who are willing to go to such lengths to
protect their privacy?
I'm just pointing out what people have done in the past and what they
could do
Hi,
Matt Amos wrote:
as with any security measure, to minimise your risk you need to be
aware of the security horizon (which will depend on what your attack
profile is) and change your authentication details regularly.
I think any security discussion should start with a threat assessment:
1.
Hi,
John Smith wrote:
2009/12/26 Frederik Ramm frede...@remote.org:
Do you now suggest that OSM should encrypt tile access, or do you suggest
OSM should ignore those people who are willing to go to such lengths to
protect their privacy?
I'm just pointing out what people have done in the
2009/12/26 Frederik Ramm frede...@remote.org:
1. What do we want to protect?
This depends who you ask.
2. Whom do we need to protect us against?
At this stage mostly spammers, accidental incidents and malcious
incidents, but with current growth rates is the level of current
issues going down
2009/12/26 Frederik Ramm frede...@remote.org:
Right. So you're not saying that encrypted tile access would do anything to
fix this situation. Good, because that's my opinion also.
I wasn't asking for encrypted access to tiles (although it would be
nice), I only ever mentioned things like APIs
2009/12/23 Kenneth Gonsalves law...@au-kbc.org:
On Tuesday 22 Dec 2009 8:46:39 pm John Smith wrote:
I don't value privacy above all else. Name a jurisdiction you think
respects privacy, and then let us evaluate
Even if I were to do all this you would simply rebuff me with more
time wasting
I don't mean to troll, but why is security important for OSM exactly? My
bank details, yes. My email, yes. But OSM? What am I afraid of, that someone
will ruin my reputation by making edits under my account? Edits that can
subsequently be reverted...?
Steve
2009/12/26 Steve Bennett stevag...@gmail.com:
I don't mean to troll, but why is security important for OSM exactly? My
bank details, yes. My email, yes. But OSM? What am I afraid of, that someone
will ruin my reputation by making edits under my account? Edits that can
subsequently be
On Sat, Dec 26, 2009 at 1:36 AM, John Smith deltafoxtrot...@gmail.comwrote:
Your account may be able to do relatively little damage, but what
about someone who has more access?
Fair point.
Then you also have the possibility of collecting large amounts of
account details, since almost
2009/12/26 Steve Bennett stevag...@gmail.com:
That situation exists already. Nothing is stopping someone from signing up
for thousands of accounts then using them all simultaneously.
And that would be easy to deal with, since the only edits would be
malicious if this is the intent, what about
2009/12/26 Steve Bennett stevag...@gmail.com:
That situation exists already. Nothing is stopping someone from signing up
for thousands of accounts then using them all simultaneously.
I just thought of another situation, when sites don't protect users'
privacy someone usually comes up with a
On Fri, Dec 25, 2009 at 9:38 AM, John Smith deltafoxtrot...@gmail.com wrote:
I don't think OAuth is a valid security method.
why not?
cheers,
matt
___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk
2009/12/26 John Smith deltafoxtrot...@gmail.com:
2009/12/26 Matt Amos zerebub...@gmail.com:
On Fri, Dec 25, 2009 at 9:38 AM, John Smith deltafoxtrot...@gmail.com
wrote:
I don't think OAuth is a valid security method.
why not?
Unless cryptography is involved how do you know your packets
On Sat, Dec 26, 2009 at 12:30 AM, John Smith deltafoxtrot...@gmail.com wrote:
2009/12/26 John Smith deltafoxtrot...@gmail.com:
2009/12/26 Matt Amos zerebub...@gmail.com:
On Fri, Dec 25, 2009 at 9:38 AM, John Smith deltafoxtrot...@gmail.com
wrote:
I don't think OAuth is a valid security
2009/12/26 Matt Amos zerebub...@gmail.com:
because OAuth does cryptographic signing of the requests.
Via a clear channel, which can be proxied and mangled and so on.
OSM is already being attacked by some vandals and some spam bots. but
none of these attacks have been against the
On Sat, Dec 26, 2009 at 1:46 AM, John Smith deltafoxtrot...@gmail.com wrote:
2009/12/26 Matt Amos zerebub...@gmail.com:
because OAuth does cryptographic signing of the requests.
Via a clear channel, which can be proxied and mangled and so on.
proxied yes, mangled no. the cryptographic
2009/12/26 Lars Francke lars.fran...@gmail.com:
Hmmm one of us doesn't understand OAuth or we have a different
understanding of what _mutual cryptographic authentication_ is.
As others have said, without SSL it can still be brute forced so
that's not exactly what I was thinking.
SSL can use
On Sat, Dec 26, 2009 at 2:25 AM, John Smith deltafoxtrot...@gmail.com wrote:
2009/12/26 Matt Amos zerebub...@gmail.com:
On Sat, Dec 26, 2009 at 1:46 AM, John Smith deltafoxtrot...@gmail.com
wrote:
2009/12/26 Matt Amos zerebub...@gmail.com:
because OAuth does cryptographic signing of the
2009/12/26 Matt Amos zerebub...@gmail.com:
which means there's no argument here for using SSL on vodafone.
I have no idea what Voda is up to, because they would throw up all
sorts of warning messages from browsers, even on phones, and users
would complain endlessly. SSL is usually left alone if
On Sat, Dec 26, 2009 at 3:05 AM, John Smith deltafoxtrot...@gmail.com wrote:
2009/12/26 Matt Amos zerebub...@gmail.com:
which means there's no argument here for using SSL on vodafone.
I have no idea what Voda is up to, because they would throw up all
sorts of warning messages from browsers,
2009/12/26 Matt Amos zerebub...@gmail.com:
it seems that SSL isn't being left alone.
I'm not in the UK so I can't test it, can anyone confirm this is
actually happening?
given sufficiently many signatures, it's possible to brute force a
single token with a very large amount of effort.
When does anyone plan to use SSL to protect passwords and users on OSM?
I noticed the other day about how JOSM puts this in it's MOTD:
Your username and password are sent to the server unencrypted. If you
do not like this, do not upload.
While I'm aware that this is occurring, many others may
On 22/12/09 14:11, John Smith wrote:
When does anyone plan to use SSL to protect passwords and users on OSM?
It's on my to do list to create a CSR and give to it to Grant.
There are some issues to work out with regard to what we protect though
as we don't really want to be using SSL for all
2009/12/23 Tom Hughes t...@compton.nu:
It's on my to do list to create a CSR and give to it to Grant.
openssl req -nodes -new -keyout private.key -out server.csr
There are some issues to work out with regard to what we protect though as
we don't really want to be using SSL for all the API
Hi,
John Smith wrote:
I gave several good reasons, but you chose to rebuff my question with
a silly question.
No, you didn't give any reasons, you just basically claimed that SSL
protects users and passwords, and I said that I think neither is the
case. It is a common fallacy to think so.
2009/12/23 Frederik Ramm frede...@remote.org:
No, you didn't give any reasons, you just basically claimed that SSL
protects users and passwords, and I said that I think neither is the case.
It is a common fallacy to think so.
In the sense that it protects bits going over the internet that is a
Hi,
John Smith wrote:
The UK government can, at any time, force access to our servers which are
located within its jurisdiction, and download your every private traces from
these servers.
Correct, so when are the servers shipping out of the UK into a
jurisdiction that actually respects
2009/12/23 Frederik Ramm frede...@remote.org:
I don't value privacy above all else. Name a jurisdiction you think respects
privacy, and then let us evaluate
Even if I were to do all this you would simply rebuff me with more
time wasting endeavours, as you pointed out you care about everything
Raise funds for better hardware that seamlessly handles encryption; or
start modifying editors to support OAuth so that they can use SSL for
the login part only - that would be a start. Write How-Tos etc. that
explain OAuth to users.
Just as a side note: OSM currently implements OAuth 1.0
John Smith wrote:
So what exactly is it in your opinion that I could be doing that I'm
not already?
Cut down the number of trolling posts you make to the mailing lists.
Cheers, Chris
___
talk mailing list
talk@openstreetmap.org
2009/12/23 Chris Hill o...@raggedred.net:
John Smith wrote:
So what exactly is it in your opinion that I could be doing that I'm
not already?
Cut down the number of trolling posts you make to the mailing lists.
What did you add to this discussion exactly, at least I'm following up
on a
On Tue, Dec 22, 2009 at 02:30:38PM +, Tom Hughes wrote:
On 22/12/09 14:11, John Smith wrote:
When does anyone plan to use SSL to protect passwords and users on OSM?
It's on my to do list to create a CSR and give to it to Grant.
There are some issues to work out with regard to what
Hi,
Florian Lohoff wrote:
So encrypting all API calls shouldnt be much of a problem - There is not that
much data transferred anyway, just a lot of connected with little data in
them.
I thought the expensive bit was setting up the connection, not
transmitting data?
I'd like to see SSL
On Tue, Dec 22, 2009 at 6:14 PM, Florian Lohoff f...@rfc822.org wrote:
On Tue, Dec 22, 2009 at 02:30:38PM +, Tom Hughes wrote:
On 22/12/09 14:11, John Smith wrote:
When does anyone plan to use SSL to protect passwords and users on OSM?
It's on my to do list to create a CSR and give to
On Tue, Dec 22, 2009 at 07:31:10PM +0100, Frederik Ramm wrote:
I'd like to see SSL encrypted connections for everything, there are a lot of
employees spying on their staff, governments on their population and people
each other. I am not afraid in loosing my password to someone as its a unique
On Tue, Dec 22, 2009 at 12:41 PM, Florian Lohoff f...@rfc822.org wrote:
Its not about the data you are uploading - but probably the fact that
you participate in an open project at all.
Um, if you are nervous about others knowing that you participate in this
project, then why do you do it? Is
On Tue, Dec 22, 2009 at 12:50:59PM -0600, Ian Dees wrote:
On Tue, Dec 22, 2009 at 12:41 PM, Florian Lohoff f...@rfc822.org wrote:
Its not about the data you are uploading - but probably the fact that
you participate in an open project at all.
Um, if you are nervous about others
Hi,
Florian Lohoff wrote:
Um, if you are nervous about others knowing that you participate in this
project, then why do you do it? Is there an establishment out there that has
an interest in preventing you from doing this?
Would Teleatlas, Navteq, Google, AND, Ordnance Survey like their
On 01/-10/-28163 08:59 PM, John Smith wrote:
...
So adding comments to trac and sending emails on this topic is doing nothing?
I think pretty much everything has already been said on this topic, but
writing emails and trac tickets is so much easier than writing
patches... ;-)
And John,
On Tue, Dec 22, 2009 at 8:27 PM, Frederik Ramm frede...@remote.org wrote:
Hi,
Florian Lohoff wrote:
Um, if you are nervous about others knowing that you participate in this
project, then why do you do it? Is there an establishment out there that has
an interest in preventing you from doing
On Tuesday 22 Dec 2009 8:46:39 pm John Smith wrote:
I don't value privacy above all else. Name a jurisdiction you think
respects privacy, and then let us evaluate
Even if I were to do all this you would simply rebuff me with more
time wasting endeavours, as you pointed out you care about
42 matches
Mail list logo