The page that allows people to sign up to be OSM live recipients (http://osmand.net/osm_live) asks for OSM user name and password and then transmits it in an unencrypted HTTP post back to osmand.net servers.
This is completely unacceptable.
At the very least the form post should be happening via HTTPS. I can't even use HTTPS if I try because the certificate is self-signed and the SSL virtual host is not configured so all I get is a 404 anyway.
However the real solution is to use OAuth and not ask for peoples passwords at all.
The page that allows people to sign up to be OSM live recipients (http://osmand.net/osm_live) asks for OSM user name and password and then transmits it in an unencrypted HTTP post back to osmand.net servers.
This is completely unacceptable.
At the very least the form post should be happening via HTTPS. I can't even use HTTPS if I try because the certificate is self-signed and the SSL virtual host is not configured so all I get is a 404 anyway.
However the real solution is to use OAuth and not ask for peoples passwords at all.