On Sat, Dec 26, 2009 at 2:25 AM, John Smith <deltafoxtrot...@gmail.com> wrote: > 2009/12/26 Matt Amos <zerebub...@gmail.com>: >> On Sat, Dec 26, 2009 at 1:46 AM, John Smith <deltafoxtrot...@gmail.com> >> wrote: >>> 2009/12/26 Matt Amos <zerebub...@gmail.com>: >>>> because OAuth does cryptographic signing of the requests. >>> >>> Via a clear channel, which can be proxied and mangled and so on. >> >> proxied yes, mangled no. the cryptographic signature which OAuth >> performs allows the server to detect if the request was modified >> en-route and it will reject it if so. > > I should have been clear, I didn't mean it would be accepted I meant > it might get mangled and be unusable: > > http://www.theregister.co.uk/2009/12/23/vodafone_christmas/
while that's really sad, and a complete FAIL for vodafone, this site claims that: "Secure HTTPS sites are transcoded, except for "banking sites". Users are warned that their security may be compromised when visiting a non-banking secure site through the transcoder." http://wapreview.com/blog/?p=1837 which means there's no argument here for using SSL on vodafone. >> OAuth isn't a substitute for SSL, but it is a substitute for passwords > > Nuff said. indeed. OSM doesn't need SSL for API traffic, it just needs a system for secure authentication. and it has one in OAuth. cheers, matt _______________________________________________ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk