curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: credentials in memory

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Sun, 20 Nov 2022 23:24:26 +0100 (CET)

On Sun, 20 Nov 2022, Howard Chu via curl-library wrote:

>> Here are some possible mitigations we could implement in curl:
>
> Store sensitive keys in a dedicated mmap'd region, mprotect the region to remove
> read access whenever the key isn't actively being used.

As we want to support lots of systems without mmap, that would just be one
solution to how to protect credentials. I think that's the smaller problem.

The bigger work I think is to make sure that we properly limit the
scope/lifetimes so that we can encrypt/protect/clear credentials immediately
after use and only have them readable in memory as short a moment in time as
possible.

But: I don't see anyone stepping up to the challenge of actually making this
happen so this is all hypothetical for now.

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2022-11-20