On Sat, 26 Dec 2009, Frederik Ramm wrote:
> 1. What do we want to protect?
> 2. Whom do we need to protect us against?
> 3. What resources (and what other means to get to 1.) does that guy have?
>
> Sometimes, for a balanced reaction, you might also want to add:
>
> 4. How realistic is the threat *
riginal Message-
From: Peter Childs
Date: Tue, 22 Dec 2009 16:38:32
Cc: Open Street Map mailing list
Subject: Re: [OSM-talk] Why doesn't OSM implement a simple measure to
protectit's users and passwords?
2009/12/22 John F. Eldredge :
> There also does not appear to be any provi
When does anyone plan to use SSL to protect passwords and users on OSM?
I noticed the other day about how JOSM puts this in it's MOTD:
"Your username and password are sent to the server unencrypted. If you
do not like this, do not upload."
While I'm aware that this is occurring, many others may
or even to think wrongly is better than not to
think at all." -- Hypatia of Alexandria
-Original Message-
From: John Smith
Date: Wed, 23 Dec 2009 00:11:43
To: Talk Openstreetmap
Subject: [OSM-talk] Why doesn't OSM implement a simple measure to protect
it's users
On 22/12/2009 16:27, John F. Eldredge wrote:
> There also does not appear to be any provision on the OSM web site for
> changing to a new password
See http://www.openstreetmap.org/user//account
where there are two password boxes. Fill them both in to change your
password.
--
Jonathan (Jonobenne
sage-
> From: John Smith
> Date: Wed, 23 Dec 2009 00:11:43
> To: Talk Openstreetmap
> Subject: [OSM-talk] Why doesn't OSM implement a simple measure to protect
> it's users and passwords?
>
> When does anyone plan to use SSL to protect passwords and use
On 22/12/09 14:11, John Smith wrote:
> When does anyone plan to use SSL to protect passwords and users on OSM?
It's on my to do list to create a CSR and give to it to Grant.
There are some issues to work out with regard to what we protect though
as we don't really want to be using SSL for all t
2009/12/23 Tom Hughes :
> It's on my to do list to create a CSR and give to it to Grant.
openssl req -nodes -new -keyout private.key -out server.csr
> There are some issues to work out with regard to what we protect though as
> we don't really want to be using SSL for all the API requests though
Hi,
John Smith wrote:
> I gave several good reasons, but you chose to rebuff my question with
> a silly question.
No, you didn't give any reasons, you just basically claimed that "SSL
protects users and passwords", and I said that I think neither is the
case. It is a common fallacy to think so.
2009/12/23 Frederik Ramm :
> No, you didn't give any reasons, you just basically claimed that "SSL
> protects users and passwords", and I said that I think neither is the case.
> It is a common fallacy to think so.
In the sense that it protects bits going over the internet that is a
factual statem
Hi,
John Smith wrote:
>> The UK government can, at any time, force access to our servers which are
>> located within its jurisdiction, and download your every private traces from
>> these servers.
>
> Correct, so when are the servers shipping out of the UK into a
> jurisdiction that actually resp
2009/12/23 Frederik Ramm :
> I don't value privacy above all else. Name a jurisdiction you think respects
> privacy, and then let us evaluate
Even if I were to do all this you would simply rebuff me with more
time wasting endeavours, as you pointed out you care about everything
else above privacy.
> Raise funds for better hardware that seamlessly handles encryption; or
> start modifying editors to support OAuth so that they can use SSL for
> the login part only - that would be a start. Write How-Tos etc. that
> explain OAuth to users.
Just as a side note: OSM currently implements OAuth 1.0
John Smith wrote:
> So what exactly is it in your opinion that I could be doing that I'm
> not already?
>
>
Cut down the number of trolling posts you make to the mailing lists.
Cheers, Chris
___
talk mailing list
talk@openstreetmap.org
http://lists.
2009/12/23 Chris Hill :
> John Smith wrote:
>> So what exactly is it in your opinion that I could be doing that I'm
>> not already?
>>
>>
>
> Cut down the number of trolling posts you make to the mailing lists.
What did you add to this discussion exactly, at least I'm following up
on a bug/feature
On Tue, Dec 22, 2009 at 02:30:38PM +, Tom Hughes wrote:
> On 22/12/09 14:11, John Smith wrote:
>
> > When does anyone plan to use SSL to protect passwords and users on OSM?
>
> It's on my to do list to create a CSR and give to it to Grant.
>
> There are some issues to work out with regard to
Hi,
Florian Lohoff wrote:
> So encrypting all API calls shouldnt be much of a problem - There is not that
> much data transferred anyway, just a lot of connected with little data in
> them.
I thought the expensive bit was setting up the connection, not
transmitting data?
> I'd like to see SSL
On Tue, Dec 22, 2009 at 6:14 PM, Florian Lohoff wrote:
> On Tue, Dec 22, 2009 at 02:30:38PM +, Tom Hughes wrote:
>> On 22/12/09 14:11, John Smith wrote:
>>
>> > When does anyone plan to use SSL to protect passwords and users on OSM?
>>
>> It's on my to do list to create a CSR and give to it to
On Tue, Dec 22, 2009 at 07:31:10PM +0100, Frederik Ramm wrote:
>> I'd like to see SSL encrypted connections for everything, there are a lot of
>> employees spying on their staff, governments on their population and people
>> each other. I am not afraid in loosing my password to someone as its a un
On Tue, Dec 22, 2009 at 12:41 PM, Florian Lohoff wrote:
>
> Its not about the data you are uploading - but probably the fact that
> you participate in an open project at all.
Um, if you are nervous about others knowing that you participate in this
project, then why do you do it? Is there an est
Ian Dees gmail.com> writes:
> That's the whole point of this operation! If you don't want want people
> to easily read what you do, then you should probably not participate in
> something called *OPEN*StreetMap.
How about if you happen to live in a closed country where the government wants
to
On Tue, Dec 22, 2009 at 12:50:59PM -0600, Ian Dees wrote:
> On Tue, Dec 22, 2009 at 12:41 PM, Florian Lohoff wrote:
>
> >
> > Its not about the data you are uploading - but probably the fact that
> > you participate in an open project at all.
>
>
> Um, if you are nervous about others knowing th
Hi,
Florian Lohoff wrote:
>> Um, if you are nervous about others knowing that you participate in this
>> project, then why do you do it? Is there an establishment out there that has
>> an interest in preventing you from doing this?
>
> Would Teleatlas, Navteq, Google, AND, Ordnance Survey like th
On 01/-10/-28163 08:59 PM, John Smith wrote:
...
> So adding comments to trac and sending emails on this topic is doing nothing?
>
I think pretty much everything has already been said on this topic, but
writing emails and trac tickets is so much easier than writing
patches... ;-)
And John, y
On Tue, Dec 22, 2009 at 8:27 PM, Frederik Ramm wrote:
> Hi,
>
> Florian Lohoff wrote:
>>> Um, if you are nervous about others knowing that you participate in this
>>> project, then why do you do it? Is there an establishment out there that has
>>> an interest in preventing you from doing this?
>>
On Tuesday 22 Dec 2009 8:46:39 pm John Smith wrote:
> > I don't value privacy above all else. Name a jurisdiction you think
> > respects privacy, and then let us evaluate
>
> Even if I were to do all this you would simply rebuff me with more
> time wasting endeavours, as you pointed out you care a
2009/12/23 Kenneth Gonsalves :
> On Tuesday 22 Dec 2009 8:46:39 pm John Smith wrote:
>> > I don't value privacy above all else. Name a jurisdiction you think
>> > respects privacy, and then let us evaluate
>>
>> Even if I were to do all this you would simply rebuff me with more
>> time wasting ende
2009/12/23 Kai Krueger :
> I think pretty much everything has already been said on this topic, but
> writing emails and trac tickets is so much easier than writing patches...
Then you aren't really reading the emails on this topic.
> And John, you are a java programmer, right? So you would presum
I don't mean to troll, but why is security important for OSM exactly? My
bank details, yes. My email, yes. But OSM? What am I afraid of, that someone
will ruin my reputation by making edits under my account? Edits that can
subsequently be reverted...?
Steve
2009/12/26 Steve Bennett :
> I don't mean to troll, but why is security important for OSM exactly? My
> bank details, yes. My email, yes. But OSM? What am I afraid of, that someone
> will ruin my reputation by making edits under my account? Edits that can
> subsequently be reverted...?
Your accoun
On Sat, Dec 26, 2009 at 1:36 AM, John Smith wrote:
> Your account may be able to do relatively little damage, but what
> about someone who has more access?
>
Fair point.
> Then you also have the possibility of collecting large amounts of
> account details, since almost everything is still sent
2009/12/26 Steve Bennett :
> That situation exists already. Nothing is stopping someone from signing up
> for thousands of accounts then using them all simultaneously.
And that would be easy to deal with, since the only edits would be
malicious if this is the intent, what about dealing with a mix
2009/12/26 Steve Bennett :
> That situation exists already. Nothing is stopping someone from signing up
> for thousands of accounts then using them all simultaneously.
I just thought of another situation, when sites don't protect users'
privacy someone usually comes up with a firefox extension to
On Fri, Dec 25, 2009 at 9:38 AM, John Smith wrote:
> I don't think OAuth is a valid security method.
why not?
cheers,
matt
___
talk mailing list
talk@openstreetmap.org
http://lists.openstreetmap.org/listinfo/talk
2009/12/26 Matt Amos :
> On Fri, Dec 25, 2009 at 9:38 AM, John Smith wrote:
>> I don't think OAuth is a valid security method.
>
> why not?
If you hadn't snipped my email you would have read the answer.
___
talk mailing list
talk@openstreetmap.org
http
2009/12/26 John Smith :
> 2009/12/26 Matt Amos :
>> On Fri, Dec 25, 2009 at 9:38 AM, John Smith
>> wrote:
>>> I don't think OAuth is a valid security method.
>>
>> why not?
Unless cryptography is involved how do you know your packets aren't
being intercepted and proxied and altered in transit?
On Sat, Dec 26, 2009 at 12:30 AM, John Smith wrote:
> 2009/12/26 John Smith :
>> 2009/12/26 Matt Amos :
>>> On Fri, Dec 25, 2009 at 9:38 AM, John Smith
>>> wrote:
I don't think OAuth is a valid security method.
>>>
>>> why not?
>>
>> If you hadn't snipped my email you would have read the an
2009/12/26 Matt Amos :
> because OAuth does cryptographic signing of the requests.
Via a clear channel, which can be proxied and mangled and so on.
> OSM is already being attacked by some vandals and some spam bots. but
> none of these attacks have been against the authentication parts of
> OSM.
On Sat, Dec 26, 2009 at 01:21, John Smith wrote:
> 2009/12/26 Matt Amos :
>> On Fri, Dec 25, 2009 at 9:38 AM, John Smith
>> wrote:
>>> I don't think OAuth is a valid security method.
>>
>> why not?
>
> If you hadn't snipped my email you would have read the answer.
Well here it is, your answer:
On Fri, Dec 25, 2009 at 8:52 PM, Lars Francke wrote:
> The Resource Owner Authorization[4] as well as the exchange of the
> shared secret will need to be done using a secure method (SSL/TLS) but
> that doesn't mean that OAuth 1.0a or OAuth WRAP aren't valid
> authentication/authorization mechanism
On Sat, Dec 26, 2009 at 1:46 AM, John Smith wrote:
> 2009/12/26 Matt Amos :
>> because OAuth does cryptographic signing of the requests.
>
> Via a clear channel, which can be proxied and mangled and so on.
proxied yes, mangled no. the cryptographic signature which OAuth
performs allows the server
2009/12/26 Matt Amos :
> On Sat, Dec 26, 2009 at 1:46 AM, John Smith wrote:
>> 2009/12/26 Matt Amos :
>>> because OAuth does cryptographic signing of the requests.
>>
>> Via a clear channel, which can be proxied and mangled and so on.
>
> proxied yes, mangled no. the cryptographic signature which
2009/12/26 Lars Francke :
> Hmmm one of us doesn't understand OAuth or we have a different
> understanding of what _mutual cryptographic authentication_ is.
As others have said, without SSL it can still be brute forced so
that's not exactly what I was thinking.
SSL can use client and server certi
On Sat, Dec 26, 2009 at 2:25 AM, John Smith wrote:
> 2009/12/26 Matt Amos :
>> On Sat, Dec 26, 2009 at 1:46 AM, John Smith
>> wrote:
>>> 2009/12/26 Matt Amos :
because OAuth does cryptographic signing of the requests.
>>>
>>> Via a clear channel, which can be proxied and mangled and so on.
2009/12/26 Matt Amos :
> which means there's no argument here for using SSL on vodafone.
I have no idea what Voda is up to, because they would throw up all
sorts of warning messages from browsers, even on phones, and users
would complain endlessly. SSL is usually left alone if for no other
reason
On Sat, Dec 26, 2009 at 3:05 AM, John Smith wrote:
> 2009/12/26 Matt Amos :
>> which means there's no argument here for using SSL on vodafone.
>
> I have no idea what Voda is up to, because they would throw up all
> sorts of warning messages from browsers, even on phones, and users
> would complai
2009/12/26 Matt Amos :
> it seems that SSL isn't being left alone.
I'm not in the UK so I can't test it, can anyone confirm this is
actually happening?
> given sufficiently many signatures, it's possible to brute force a
> single token with a very large amount of effort. however, this token
> doe
Hi,
John Smith wrote:
> I just thought of another situation, when sites don't protect users'
> privacy someone usually comes up with a firefox extension to protect
> their own privacy, in this case you'd generate noise by making a lot
> of fake requests for tiles in 2, 3, or even 10 other location
2009/12/26 Frederik Ramm :
> Do you now suggest that OSM should encrypt tile access, or do you suggest
> OSM should ignore those people who are "willing to go to such lengths to
> protect their privacy"?
I'm just pointing out what people have done in the past and what they
could do in future, alth
Hi,
Matt Amos wrote:
> as with any security measure, to minimise your risk you need to be
> aware of the security horizon (which will depend on what your attack
> profile is) and change your authentication details regularly.
I think any security discussion should start with a threat assessment:
Hi,
John Smith wrote:
> 2009/12/26 Frederik Ramm :
>> Do you now suggest that OSM should encrypt tile access, or do you suggest
>> OSM should ignore those people who are "willing to go to such lengths to
>> protect their privacy"?
>
> I'm just pointing out what people have done in the past and wh
2009/12/26 Frederik Ramm :
> 1. What do we want to protect?
This depends who you ask.
> 2. Whom do we need to protect us against?
At this stage mostly spammers, accidental incidents and malcious
incidents, but with current growth rates is the level of current
issues going down or up? Will new pr
2009/12/26 Frederik Ramm :
> Right. So you're not saying that encrypted tile access would do anything to
> fix this situation. Good, because that's my opinion also.
I wasn't asking for encrypted access to tiles (although it would be
nice), I only ever mentioned things like APIs and GPX uploads and
53 matches
Mail list logo
