On Fri, Dec 25, 2009 at 8:52 PM, Lars Francke <[email protected]>wrote:
> The Resource Owner Authorization[4] as well as the exchange of the > shared secret will need to be done using a secure method (SSL/TLS) but > that doesn't mean that OAuth 1.0a or OAuth WRAP aren't valid > authentication/authorization mechanisms. It just means that there is a > way to implement it in an insecure way. > Okay, but isn't OAuth being presented as an alternative to SSL? What I got from a quick read of the spec (http://oauth.net/core/1.0a/) is this: "Unless a transport-layer security protocol is used, eavesdroppers will have full access to OAuth requests and signatures, and will thus be able to mount offline brute-force attacks to recover the Consumer's credentials used." I'd imagine a large number of OSM passwords can be easily brute forced given offline access. Not that I think it much matters. I agree with Steve that stealing OSM passwords isn't that big of a deal.
_______________________________________________ talk mailing list [email protected] http://lists.openstreetmap.org/listinfo/talk
