The OAuth signature gives you the security that the request hasn't been tampered with in transit (so called man-in-the-middle attacks). However it doesn't encrypt the data it is sending. So for sensitive information like credit card details, using https is still required since you don't only want to make sure it hasn't been changed in transit, you also want to make sure no one can read it, which is what https gives you.
-- Chris On Tue, Mar 10, 2009 at 9:16 AM, Sanjay Patel <skpate...@gmail.com> wrote: > Hi Arne, > > Thanks a lot for this vital input. > > This is a great question. Technically, the entire request url and >> post body are signed. You can verify that any parameters in the >> request are exactly what was passed to the container via the >> makeRequest call, or added by the container itself. > > > Does this mean that credit card etc. can be safely sent using Signed > Request mechanism, and we don't need to use HTTPS url as we do in normal > websites? > > thanks, > Sanjay > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial Application Development" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to opensocial-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
