shocking - unsecure password sending!

classic Classic list List threaded Threaded
54 messages Options
123
Reply | Threaded
Open this post in threaded view
|

shocking - unsecure password sending!

valent.turkovic@gmail.com
Hi,
I was amazed when my OSM username and password appeared on "Wall of
Sheep" during the conference at which I was presenting OpenStreetMap
project!

I was using JOSM only to download some data, and I wasn't aware that JOSM
sends login data even when it is only downloading data and not sending.

The real shock was that my username and password were being send via
clear text.

Can JOSM use https or some other secure way of logging into OSM?

Cheers from Croatia,
Valent.



--
pratite me na twitteru - www.twitter.com/valentt
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Frederik Ramm
Hi,

Valent Turkovic wrote:
> I was using JOSM only to download some data, and I wasn't aware that JOSM
> sends login data even when it is only downloading data and not sending.

It should not do that. But you are right - it does indeed send an
"Authorization" header when it does the "capabilities" XML request. This
  is completely unnecessary.

Frankly I do not understand why the capabilities request has that header
and the map request doesn't.

> The real shock was that my username and password were being send via
> clear text.

Well, at least it was base64 encoded ;-)

> Can JOSM use https or some other secure way of logging into OSM?

No, because the API does not support https (supporting https would
probably come at a considerable speed penalty especially if nut using
changeset uploads).

One could use the newly provided OAuth mechanism for authentication.
This would then not transmit your password but a token; the token
however would still be transmitted in plain text, would have unlimited
validity until revoked (just like a password) and would allow anyone who
sees it to make edits in your name, so this wold fall more unter
"security by obscurity" than under proper security.

Bye
Frederk

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Stefan Baebler
On Thu, Sep 24, 2009 at 1:49 PM, Frederik Ramm <[hidden email]> wrote:
> One could use the newly provided OAuth mechanism for authentication.
> This would then not transmit your password but a token; the token
> however would still be transmitted in plain text, would have unlimited
> validity until revoked (just like a password) and would allow anyone who
> sees it to make edits in your name, so this wold fall more unter
> "security by obscurity" than under proper security.
Unless OAuth login page uses SSL (https) the password will be sent in
clear text (not even base64 encoded) before the server issues a token.

It would make sense to use SSL at least for OAuth login and then SSL
doesn't need to be used on the API if tools start authenticating users
via OAuth instead of old basic authentication (which uses base64
encoding instead of real encryption). Of course tokens could be
sniffed as well, so they should be expiring soon (eg after every
session).

Will JOSM be the first to change and offer alternative OAuth authentication? :-)

There are open tickets about ssl and encrypting passwords:
http://trac.openstreetmap.org/ticket/275
http://trac.openstreetmap.org/ticket/106

Stefan

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

GeoJ
In reply to this post by Frederik Ramm
Frederik Ramm schrieb:
> No, because the API does not support https (supporting https would
> probably come at a considerable speed penalty especially if nut using
> changeset uploads).

May be the HTTP digest authentication would be an alternative (or a
similar approach)? It uses a clear-text challenge-response protocol that
does not require SSL but protects the password.

GeoJ


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

TobWen
In reply to this post by Frederik Ramm
Hi,

Frederik Ramm schrieb:
> One could use the newly provided OAuth mechanism for authentication.
> This would then not transmit your password but a token; the token
> however would still be transmitted in plain text, would have unlimited
> validity until revoked (just like a password) and would allow anyone who
> sees it to make edits in your name, so this wold fall more unter
> "security by obscurity" than under proper security.

Why not this way:
A token gets gets generated on the database server (or transmitted to
it) and it gets transmitted to the user via HTTPS.

The token will encode the password on the user's side and transmit
it in plaintext to the server. The server will encode it using
the token.

That sounds secure to me and shouldn't slow down any process.

Best regards,
Tobias


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Ævar Arnfjörð Bjarmason
In reply to this post by Frederik Ramm
On Thu, Sep 24, 2009 at 11:49 AM, Frederik Ramm <[hidden email]> wrote:
> One could use the newly provided OAuth mechanism for authentication.
> This would then not transmit your password but a token; the token
> however would still be transmitted in plain text, would have unlimited
> validity until revoked (just like a password) and would allow anyone who
> sees it to make edits in your name, so this wold fall more unter
> "security by obscurity" than under proper security.

On OSM.org you can give out tokens that allow the holder to *only*
edit the map data. As opposed to also getting access to your private
GPX tracks, making diary entries / comments etc.

So transfering plaintext OAuth tokens would be more secure as in the
event of a breach the access the attacker would gain to OSM.org in
your name would at least be compartmentalized.

Not to mention that the OAuth token would *only* work on OSM.org
whereas users are likely to supply the same email/password pair for
multiple websites that they're using.

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

valent.turkovic@gmail.com
In reply to this post by GeoJ
On Thu, 24 Sep 2009 17:25:36 +0200, GeoJ wrote:

> May be the HTTP digest authentication would be an alternative (or a
> similar approach)? It uses a clear-text challenge-response protocol that
> does not require SSL but protects the password.

Will this be incorporated in some future version of JOSM?



--
pratite me na twitteru - www.twitter.com/valentt
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Karl Guggisberg
Hi everbody

just wondering whether the OSM API already supports digest authentication.
If JOSM wanted to use it, could we already work on it or would we have to
wait for the servers to support it?

Regards
Karl

-----Ursprüngliche Nachricht-----
Von: [hidden email]
[mailto:[hidden email]] Im Auftrag von Valent Turkovic
Gesendet: Sonntag, 27. September 2009 15:44
An: [hidden email]
Betreff: Re: [josm-dev] shocking - unsecure password sending!

On Thu, 24 Sep 2009 17:25:36 +0200, GeoJ wrote:

> May be the HTTP digest authentication would be an alternative (or a
> similar approach)? It uses a clear-text challenge-response protocol
> that does not require SSL but protects the password.

Will this be incorporated in some future version of JOSM?



--
pratite me na twitteru - www.twitter.com/valentt
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless registered as user
#367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Ævar Arnfjörð Bjarmason
On Sun, Sep 27, 2009 at 2:25 PM, Karl Guggisberg
<[hidden email]> wrote:
> just wondering whether the OSM API already supports digest authentication.
> If JOSM wanted to use it, could we already work on it or would we have to
> wait for the servers to support it?

TomH via IRC on #osm-dev: "we can't do it and are unlikely ever to do
so as it requires the passwords to be held in plain text on the
server".

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

valent.turkovic@gmail.com
In reply to this post by TobWen
On Thu, 24 Sep 2009 17:49:43 +0200, Tobias Wendorff wrote:

> A token gets gets generated on the database server (or transmitted to
> it) and it gets transmitted to the user via HTTPS.
>
> The token will encode the password on the user's side and transmit it in
> plaintext to the server. The server will encode it using the token.
>
> That sounds secure to me and shouldn't slow down any process.

Any plans on implementing this feature into JOSM?



--
pratite me na twitteru - www.twitter.com/valentt
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

valent.turkovic@gmail.com
In reply to this post by Stefan Baebler
On Thu, 24 Sep 2009 14:18:17 +0200, Stefan Baebler wrote:

> There are open tickets about ssl and encrypting passwords:
> http://trac.openstreetmap.org/ticket/275
> http://trac.openstreetmap.org/ticket/106

I see these are 4 years old tickets :(

How far is it from realization so that we start using secure login with
JOSM?



--
pratite me na twitteru - www.twitter.com/valentt
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Frederik Ramm
In reply to this post by valent.turkovic@gmail.com
Hi,

Valent Turkovic wrote:
>> A token gets gets generated on the database server (or transmitted to
>> it) and it gets transmitted to the user via HTTPS.
>>
>> The token will encode the password on the user's side and transmit it in
>> plaintext to the server. The server will encode it using the token.
>>
>> That sounds secure to me and shouldn't slow down any process.
>
> Any plans on implementing this feature into JOSM?

The JOSM part of any of this (except perhaps OAuth) is trivial and I'm
sure if the server supports some kind of secure authentication then
someone will hack that up in JOSM. However as long as the server doesn't
do SSL there's not much incentive, and frankly I couldn't care less
about my username/password being unencrypted so I will not spend any
time either coding the Ruby side of things or convincing the server
operators to buy and install SSL certificates.

But if this is important to you, then go ahead.

Bye
Frederik

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Dirk Stöcker
In reply to this post by valent.turkovic@gmail.com
On Thu, 24 Sep 2009, Valent Turkovic wrote:

> I was amazed when my OSM username and password appeared on "Wall of
> Sheep" during the conference at which I was presenting OpenStreetMap
> project!
>
> I was using JOSM only to download some data, and I wasn't aware that JOSM
> sends login data even when it is only downloading data and not sending.

In rev. 2222 the capabilities request no longer sends username/password.
This means again only uploads require authentication.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Ľubomír Varga
Thanks for that improvement. Now we are a little bit safer :-)

Have a nice day.

On Friday 02 October 2009 21:20:15 Dirk Stöcker wrote:

> On Thu, 24 Sep 2009, Valent Turkovic wrote:
> > I was amazed when my OSM username and password appeared on "Wall of
> > Sheep" during the conference at which I was presenting OpenStreetMap
> > project!
> >
> > I was using JOSM only to download some data, and I wasn't aware that JOSM
> > sends login data even when it is only downloading data and not sending.
>
> In rev. 2222 the capabilities request no longer sends username/password.
> This means again only uploads require authentication.
>
> Ciao

--
Odborník na všetko je zlý odborník. Ja sa snažím byť výnimkou potvrdzujúcou
pravidlo.

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

valent.turkovic@gmail.com
In reply to this post by Ævar Arnfjörð Bjarmason
On Sat, 26 Sep 2009 13:49:00 +0000, Ævar Arnfjörð Bjarmason wrote:

> On OSM.org you can give out tokens that allow the holder to *only* edit
> the map data. As opposed to also getting access to your private GPX
> tracks, making diary entries / comments etc.
>
> So transfering plaintext OAuth tokens would be more secure as in the
> event of a breach the access the attacker would gain to OSM.org in your
> name would at least be compartmentalized.
>
> Not to mention that the OAuth token would *only* work on OSM.org whereas
> users are likely to supply the same email/password pair for multiple
> websites that they're using.

This definitely sounds like a step forward in the right direction. This
seams like a nice feature to secure users account, and you are right,
this would be much better than nothing.


--
pratite me na twitteru - www.twitter.com/valentt
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Karl Guggisberg
I think that people would be disappointed if one explained them how OAuth would work from JOSM.
My understanding is, that it would work along the following steps:

1. User starts JOSM and clicks on "Sign In"

2. JOSM displays an internal, modal window saying
   "We now launch a Web Browser. Please follow the instructions you are given there. At the end
    a so called request token will be generated for you. Please copy/paste it in the text field
    below and click 'Authorize' "
   (did I mention that the window includes a text field and a button "Authorize"?)

2. An external (or internal) Web Browser is launched. It shows  the normal www.openstreetmap.org
   login sreen. The user has to login with his user id/passwort. Since OSM still doesn't support HTTPS,
   neither for the login page nor for any other page, and since it only supports the Basic Auth schem,
   not digest authentication, the user id and the password are transferred in cleartext over the net,
   in exactly the same way JOSM transfers it today.

4. The user follows the steps required by OAuth, gets a request token, copies it, and pastes it to
   the field it JOSM. Then he clicks 'Authorize'.

5. JOSM requsts an access token from OSM and uses it in subsequent calls.

The request token can be saved in the JOSM-profile (agreed, that this avoids having userid/password
unencrypted in the profile) and it will be used to get another access token the next time JOSM
is started, but using OAuth doesn't protect us from sending uid/password in cleartext over the net.

Not much of a improvement, IMHO. Or do you I miss something?

Regards
Karl


-----Ursprüngliche Nachricht-----
Von: [hidden email] [mailto:[hidden email]] Im Auftrag von Valent Turkovic
Gesendet: Dienstag, 6. Oktober 2009 09:56
An: [hidden email]
Betreff: Re: [josm-dev] shocking - unsecure password sending!

On Sat, 26 Sep 2009 13:49:00 +0000, Ævar Arnfjörð Bjarmason wrote:

> On OSM.org you can give out tokens that allow the holder to *only*
> edit the map data. As opposed to also getting access to your private
> GPX tracks, making diary entries / comments etc.
>
> So transfering plaintext OAuth tokens would be more secure as in the
> event of a breach the access the attacker would gain to OSM.org in
> your name would at least be compartmentalized.
>
> Not to mention that the OAuth token would *only* work on OSM.org
> whereas users are likely to supply the same email/password pair for
> multiple websites that they're using.

This definitely sounds like a step forward in the right direction. This seams like a nice feature to secure users account, and you are right, this would be much better than nothing.


--
pratite me na twitteru - www.twitter.com/valentt http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Ľubomír Varga
I think that secure mechanism are today here and are a little bit standard
(ssl, https). Why dont use them? If osm.org dont want to play with
certificates, or to have some cpu power burned for ssl, I think that this
problem isnt't josm problem.

Imho osm.org should introduce some https page, where josm software could get
pass token for some time period. This change of username+passwd for token,
will be crypted (one https page). Other request will be http (no cpu burned
for ssl) and will use token. This is second version how to get secured. First
is to introduce https over all requests and imho should be implemented.

This thread is from my point of wiev just waste of time and some Oauth, etc,
would be also waste of time.

This is my opinion, Iam a little bit paranoid in IT world, but I dont have any
want (in meaning of "have to be") for secured osm.

Does anyone know what opinion does hava osm core group?


On Tuesday 06 October 2009 19:11:04 Karl Guggisberg wrote:

> I think that people would be disappointed if one explained them how OAuth
> would work from JOSM. My understanding is, that it would work along the
> following steps:
>
> 1. User starts JOSM and clicks on "Sign In"
>
> 2. JOSM displays an internal, modal window saying
>    "We now launch a Web Browser. Please follow the instructions you are
> given there. At the end a so called request token will be generated for
> you. Please copy/paste it in the text field below and click 'Authorize' "
>    (did I mention that the window includes a text field and a button
> "Authorize"?)
>
> 2. An external (or internal) Web Browser is launched. It shows  the normal
> www.openstreetmap.org login sreen. The user has to login with his user
> id/passwort. Since OSM still doesn't support HTTPS, neither for the login
> page nor for any other page, and since it only supports the Basic Auth
> schem, not digest authentication, the user id and the password are
> transferred in cleartext over the net, in exactly the same way JOSM
> transfers it today.
>
> 4. The user follows the steps required by OAuth, gets a request token,
> copies it, and pastes it to the field it JOSM. Then he clicks 'Authorize'.
>
> 5. JOSM requsts an access token from OSM and uses it in subsequent calls.
>
> The request token can be saved in the JOSM-profile (agreed, that this
> avoids having userid/password unencrypted in the profile) and it will be
> used to get another access token the next time JOSM is started, but using
> OAuth doesn't protect us from sending uid/password in cleartext over the
> net.
>
> Not much of a improvement, IMHO. Or do you I miss something?
>
> Regards
> Karl
>
>
> -----Ursprüngliche Nachricht-----
> Von: [hidden email]
> [mailto:[hidden email]] Im Auftrag von Valent Turkovic
> Gesendet: Dienstag, 6. Oktober 2009 09:56
> An: [hidden email]
> Betreff: Re: [josm-dev] shocking - unsecure password sending!
>
> On Sat, 26 Sep 2009 13:49:00 +0000, Ævar Arnfjörð Bjarmason wrote:
> > On OSM.org you can give out tokens that allow the holder to *only*
> > edit the map data. As opposed to also getting access to your private
> > GPX tracks, making diary entries / comments etc.
> >
> > So transfering plaintext OAuth tokens would be more secure as in the
> > event of a breach the access the attacker would gain to OSM.org in
> > your name would at least be compartmentalized.
> >
> > Not to mention that the OAuth token would *only* work on OSM.org
> > whereas users are likely to supply the same email/password pair for
> > multiple websites that they're using.
>
> This definitely sounds like a step forward in the right direction. This
> seams like a nice feature to secure users account, and you are right, this
> would be much better than nothing.
>
>
> --
> pratite me na twitteru - www.twitter.com/valentt
> http://kernelreloaded.blog385.com/ linux, blog, anime, spirituality,
> windsurf, wireless registered as user #367004 with the Linux Counter,
> http://counter.li.org. ICQ: 2125241, Skype: valent.turkovic
>
>
> _______________________________________________
> josm-dev mailing list
> [hidden email]
> http://lists.openstreetmap.org/listinfo/josm-dev
>
>
> _______________________________________________
> josm-dev mailing list
> [hidden email]
> http://lists.openstreetmap.org/listinfo/josm-dev

--
Odborník na všetko je zlý odborník. Ja sa snažím byť výnimkou potvrdzujúcou
pravidlo.

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Frederik Ramm
In reply to this post by Karl Guggisberg
Hi,

Karl Guggisberg wrote:
> I think that people would be disappointed if one explained them how OAuth would work from JOSM.
> My understanding is, that it would work along the following steps:

Probably right although I'm sure a way can be found to save the user
from having to cut+paste the token.

> The request token can be saved in the JOSM-profile (agreed, that this avoids having userid/password
> unencrypted in the profile) and it will be used to get another access token the next time JOSM
> is started, but using OAuth doesn't protect us from sending uid/password in cleartext over the net.

The difference is that since the token is valid forever, the unencrypted
transfer of username and password will take place only once, and not
with every request. (Requests would still contain the unencrypted token
which would allow others to make edits in your name though.)

But as I said before, I don't currently consider OSM accounts to be a
valuable asset. I have many of them and should one be compromised then
I'll create another. Any account created anonymously from the web page
has the same privileges as my account so why should a hacker bother to
hijack my account when he can just sign up for one? Thus I think the
whole security question is more a kind of knee-jerk security paranoia
thing than a real concern. (And anyone who cares so little about
security that he uses the same password for OSM that he uses elsewhere
does not really deserve that we make an effort to protect his data, does
he?)

This would however change if OSM accounts had special privileges. If my
account could to things that yours cannot then that might make a difference.

Bye
Frederik

--
Frederik Ramm  ##  eMail [hidden email]  ##  N49°00'09" E008°23'33"

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

MP-14
>  But as I said before, I don't currently consider OSM accounts to be a
>  valuable asset. I have many of them and should one be compromised then
>  I'll create another. Any account created anonymously from the web page

They are not very valuable, but once someone start vandalising "in
your name", they will blame you...

Also there is some stuff tied to your account (list of friends, diary
entries, uploaded GPX traces - I don't use these, but some people do
.... then there are settings, watched OSM elements ....)
And that stuff can be somewhat valuable for some people.

>  has the same privileges as my account so why should a hacker bother to
>  hijack my account when he can just sign up for one? Thus I think the

All email accounts on gmail, for example, have same privileges, yet
people value their personal email accounts quite highly.

OSM accounts are usually not that valuable as emails, but their value
is far from zero for some people.

Martin

_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
Reply | Threaded
Open this post in threaded view
|

Re: shocking - unsecure password sending!

Karl Guggisberg
In reply to this post by Frederik Ramm
> Probably right although I'm sure a way can be found to save the user from having to cut+paste the token.
I'm afraid, it can't. If JOSM was a web application, it would be part of the OAuth protocol that the OSM
website "calls back" JOSM with the request token. For a java rich client this is isn't possible.

But wait a minute, don't we a have a remote control plugin which is "called back" by the OSM web site? Yes, sort of.
We would need
- the OSM page which generates the request token to include a link
  <a href="http://localhost:8888/oauth-request-token>Click to import the request token into JOSM</a>
- JOSM to listen on port 8888 for such requests (similar to the remote plugin)

This would be slightly less complicated from the users point of view but it's still not seamless.
The user explicitly has to click on the link.

-- Karl

-----Ursprüngliche Nachricht-----
Von: Frederik Ramm [mailto:[hidden email]]
Gesendet: Mittwoch, 7. Oktober 2009 01:51
An: [hidden email]
Cc: [hidden email]
Betreff: Re: [josm-dev] shocking - unsecure password sending!

Hi,

Karl Guggisberg wrote:
> I think that people would be disappointed if one explained them how OAuth would work from JOSM.
> My understanding is, that it would work along the following steps:

Probably right although I'm sure a way can be found to save the user from having to cut+paste the token.

> The request token can be saved in the JOSM-profile (agreed, that this
> avoids having userid/password unencrypted in the profile) and it will
> be used to get another access token the next time JOSM is started, but using OAuth doesn't protect us from sending uid/password in cleartext over the net.

The difference is that since the token is valid forever, the unencrypted transfer of username and password will take place only once, and not with every request. (Requests would still contain the unencrypted token which would allow others to make edits in your name though.)

But as I said before, I don't currently consider OSM accounts to be a valuable asset. I have many of them and should one be compromised then I'll create another. Any account created anonymously from the web page has the same privileges as my account so why should a hacker bother to hijack my account when he can just sign up for one? Thus I think the whole security question is more a kind of knee-jerk security paranoia thing than a real concern. (And anyone who cares so little about security that he uses the same password for OSM that he uses elsewhere does not really deserve that we make an effort to protect his data, does
he?)

This would however change if OSM accounts had special privileges. If my account could to things that yours cannot then that might make a difference.

Bye
Frederik

--
Frederik Ramm  ##  eMail [hidden email]  ##  N49°00'09" E008°23'33"


_______________________________________________
josm-dev mailing list
[hidden email]
http://lists.openstreetmap.org/listinfo/josm-dev
123