Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: credentials in memory
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Zakrzewski, Jakub via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 30 Sep 2022 08:19:55 +0000
> The "encryption" then wouldn't have to be complicated and could use a randomly
> generated "key", probably created when the handle is created.
That looks reasonable. Random key is harder to find in any memory dump. Especially if not base64-encoded or something like that.
> Of course, since the passwords are passed in to libcurl from applications,
> this dance is less effective if they then keep the credentials around in the
> clear in memory anyway, but I think maybe they typically keep them around for
> a shorter time in general.
Yep, but what the application does is not our concern. If curl / libcurl can be made "safe",
it's only to its advantage. Whether the application take advantage of that or not is their problem.
> Thoughts? Pointless? Improvements?
I'd still put it behind a CURLOPT for the sake of all low-powered devices that cannot really afford
any additional load due to encryption.
Date: Fri, 30 Sep 2022 08:19:55 +0000
> The "encryption" then wouldn't have to be complicated and could use a randomly
> generated "key", probably created when the handle is created.
That looks reasonable. Random key is harder to find in any memory dump. Especially if not base64-encoded or something like that.
> Of course, since the passwords are passed in to libcurl from applications,
> this dance is less effective if they then keep the credentials around in the
> clear in memory anyway, but I think maybe they typically keep them around for
> a shorter time in general.
Yep, but what the application does is not our concern. If curl / libcurl can be made "safe",
it's only to its advantage. Whether the application take advantage of that or not is their problem.
> Thoughts? Pointless? Improvements?
I'd still put it behind a CURLOPT for the sake of all low-powered devices that cannot really afford
any additional load due to encryption.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-09-30