Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: credentials in memory
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Christian Schmitz via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 30 Sep 2022 10:25:08 +0200
> Am 30.09.2022 um 09:43 schrieb Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>:
>
> Hi,
>
> Is it worth doing something about?
>
Well, if you like to prevent picking passwords easily from memory dumps while a transaction is running, e.g. longer download, you may just do a bit of xor for the long term storage.
Like get a random 16 byte string at start and then xor values with it.
This way you won't need a crypto library as a reference for a non SSL enabled curl.
On the other side, when our applications passes a password to curl, it is still in some object property or even the textfield of the GUI.
Best regards,
Christian
Date: Fri, 30 Sep 2022 10:25:08 +0200
> Am 30.09.2022 um 09:43 schrieb Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>:
>
> Hi,
>
> Is it worth doing something about?
>
Well, if you like to prevent picking passwords easily from memory dumps while a transaction is running, e.g. longer download, you may just do a bit of xor for the long term storage.
Like get a random 16 byte string at start and then xor values with it.
This way you won't need a crypto library as a reference for a non SSL enabled curl.
On the other side, when our applications passes a password to curl, it is still in some object property or even the textfield of the GUI.
Best regards,
Christian
-- Read our blog about news on our plugins: http://www.mbsplugins.de/ -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-09-30