curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: credentials in memory

From: Zakrzewski, Jakub via curl-library <>
Date: Fri, 30 Sep 2022 08:19:55 +0000

> The "encryption" then wouldn't have to be complicated and could use a randomly
> generated "key", probably created when the handle is created.

That looks reasonable. Random key is harder to find in any memory dump. Especially if not base64-encoded or something like that.

> Of course, since the passwords are passed in to libcurl from applications,
> this dance is less effective if they then keep the credentials around in the
> clear in memory anyway, but I think maybe they typically keep them around for
> a shorter time in general.

Yep, but what the application does is not our concern. If curl / libcurl can be made "safe",
it's only to its advantage. Whether the application take advantage of that or not is their problem.

> Thoughts? Pointless? Improvements?

I'd still put it behind a CURLOPT for the sake of all low-powered devices that cannot really afford
any additional load due to encryption.

Received on 2022-09-30