> The "encryption" then wouldn't have to be complicated and could use a randomly > generated "key", probably created when the handle is created.
That looks reasonable. Random key is harder to find in any memory dump. Especially if not base64-encoded or something like that. > Of course, since the passwords are passed in to libcurl from applications, > this dance is less effective if they then keep the credentials around in the > clear in memory anyway, but I think maybe they typically keep them around for > a shorter time in general. Yep, but what the application does is not our concern. If curl / libcurl can be made "safe", it's only to its advantage. Whether the application take advantage of that or not is their problem. > Thoughts? Pointless? Improvements? I'd still put it behind a CURLOPT for the sake of all low-powered devices that cannot really afford any additional load due to encryption.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
