On Sun, 20 Nov 2022, Howard Chu via curl-library wrote:
Here are some possible mitigations we could implement in curl:
Store sensitive keys in a dedicated mmap'd region, mprotect the region to remove
read access whenever the key isn't actively being used.
As we want to support lots of
Dan Fandrich via curl-library wrote:
> However, if the attacker somehow only has access to the memory and not the
> rest
> of the process' assets (case 2.), then use of a hardware security device can
> protect the
> keys from directly being stolen, But, there will be some times that curl needs
>
On Fri, Sep 30, 2022 at 09:43:39AM +0200, Daniel Stenberg via curl-library
wrote:
> libcurl hold credentials (passwords for servers and proxies) in memory in
> clear text, potentially for a long time. If something goes wrong and that
> memory is accessed by an external party, things would be bad.
Daniel Stenberg via curl-library wrote:
> Hi,
>
> I bring back an old discussion as I think it might be worth having it again.
>
> libcurl hold credentials (passwords for servers and proxies) in memory in
> clear text, potentially for a long time. If something goes wrong and that
> memory is
>
On Fri, Sep 30, 2022 at 01:49:40PM +0200, Stefan Eissing via curl-library wrote:
>
>
> > Am 30.09.2022 um 13:41 schrieb Daniel Stenberg :
> >
> > On Fri, 30 Sep 2022, Stefan Eissing wrote:
> >
> >> I know of threee patterns to solve this problem (and increase usability
> >> as a side
> Am 30.09.2022 um 13:49 schrieb Stefan Eissing via curl-library
> :
>
>
>
>> Am 30.09.2022 um 13:41 schrieb Daniel Stenberg :
>>
>> On Fri, 30 Sep 2022, Stefan Eissing wrote:
>>
>>> I know of threee patterns to solve this problem (and increase usability as
>>> a side effect):
>>
>>
> Am 30.09.2022 um 13:41 schrieb Daniel Stenberg :
>
> On Fri, 30 Sep 2022, Stefan Eissing wrote:
>
>> I know of threee patterns to solve this problem (and increase usability as a
>> side effect):
>
> Those methods transfer the data to another process, and that is certainly
> even more
On Fri, 30 Sep 2022, Stefan Eissing wrote:
I know of threee patterns to solve this problem (and increase usability as a
side effect):
Those methods transfer the data to another process, and that is certainly even
more safe since then the sensitive data is not even present in the heap of the
On Fri, 30 Sep 2022, David Woodhouse wrote:
Don't forget to ensure that all *transitional* storage is securely wiped,
including request buffers in which the password has been (decrypted and)
sent.
The buffers we use for transport are all used temporary and are never kept
around for long
On Fri, 2022-09-30 at 09:43 +0200, Daniel Stenberg via curl-library wrote:
> Hi,
>
> I bring back an old discussion as I think it might be worth having it again.
>
> libcurl hold credentials (passwords for servers and proxies) in memory in
> clear text, potentially for a long time. If something
> Am 30.09.2022 um 09:43 schrieb Daniel Stenberg via curl-library
> :
>
> Hi,
>
> Is it worth doing something about?
>
Well, if you like to prevent picking passwords easily from memory dumps while a
transaction is running, e.g. longer download, you may just do a bit of xor for
the long
> The "encryption" then wouldn't have to be complicated and could use a randomly
> generated "key", probably created when the handle is created.
That looks reasonable. Random key is harder to find in any memory dump.
Especially if not base64-encoded or something like that.
> Of course, since
On Fri, 30 Sept 2022 at 10:12, Stefan Eissing via curl-library
wrote:
>
>
>
> > Am 30.09.2022 um 09:43 schrieb Daniel Stenberg via curl-library
> > :
> >
> > Hi,
> >
> > I bring back an old discussion as I think it might be worth having it again.
> >
> > libcurl hold credentials (passwords for
> Am 30.09.2022 um 09:43 schrieb Daniel Stenberg via curl-library
> :
>
> Hi,
>
> I bring back an old discussion as I think it might be worth having it again.
>
> libcurl hold credentials (passwords for servers and proxies) in memory in
> clear text, potentially for a long time. If
Hi,
I bring back an old discussion as I think it might be worth having it again.
libcurl hold credentials (passwords for servers and proxies) in memory in
clear text, potentially for a long time. If something goes wrong and that
memory is accessed by an external party, things would be bad.
15 matches
Mail list logo
