curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: curl protection for password at process memory

From: Daniel Gustafsson via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 30 Sep 2020 21:33:25 +0200

> On 30 Sep 2020, at 16:12, ⁨מעיין בן חיים via curl-library⁩ <⁨curl-library_at_cool.haxx.se⁩> wrote:

> As part of "defence in depth" strategy, I want to protect my process from core dump attacks.

If generating and reading a dump file is the attack vector, can you elaborate
on how you envision the defence to work? If the password is in some way
encrypted then curl must have an un-encrypted key somewhere, and we're back at
square one. Do you have an alternative strategy in mind?

> 2. Should I open/report a bug for this?

No, it's not a bug. What could be considered however is to spell this out in
the documentation.

cheers ./daniel
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-09-30