On Wed, Aug 04, 2004 at 11:43:07AM -0500, Rashid Butte wrote:
> Hi,
>
>
>
> I'm currently using:
>
> curl_easy_setopt(curl, CURLOPT_POSTFIELDS, POSTFIELDS);
>
>
>
> where POSTFIELDS is a #define that contains user, password, and a bunch of
> other stuff.
>
>
>
> It works fine. My problem is that the user:password data is visible in the
> .exe -- it's not encrypted.
>
>
>
> Are there any standard ways to encrypt or obfuscate a password that is part of
> the ­d data fields?
>
>
>
> I'm thinking there must be a way to encrypt the data, put it in a file, and
> read that file at runtime, decrypt, and substitute into the POST.
>
> Has anyone done anything like this?

It sounds like you're most concerned about the plaintext password in the
executable and not about the password being sent in plaintext across the
network. If that's true, then your approach will work. However, it's
impossible to keep the password completely secure in this way--all you can
do is defeat a casual user using 'strings' on your binary.

Take a look at the man page for EVP_EncryptInit(3), which is
part of the openssl library, to start with. You should be able to use the
openssl(1) command-line tool to encrypt your file, which will be loaded
then decrypted in your app before being passed in to CURLOPT_POSTFIELDS.

Using a secure encryption algorithm really is overkill, since anyone can
disassemble your app to find the fixed decryption key, or fake the server and
have the app send you the data in plaintext; you're almost as secure
(insecure) using something simpleminded like memfrob(3). openssl is nice,
though, because you get a command-line tool that's useful for debugging
and encrypting your data.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved