Is it insecure to send a password in a `curl` command?Self-signed certificates and internal cURL requestsPHP get_file_contents & curlIs it safe to use .netrc files to store credentials for tools like curl or ftp?Is it possible to send a cURL request with SSL without the private key?Are there risks to allowing cURL from my machine?Unable to utilise curl commands on websiteExtra secure layer to cURL callsHow curl provided source code that the browser did not?Leveraging curl to spawn a shellCan cURL block a rogue CA?

PTIJ: Why do we blow Shofar on Rosh Hashana and use a Lulav on Sukkos?

Help rendering a complicated sum/product formula

HP P840 HDD RAID 5 many strange drive failures

gerund and noun applications

Why are there no stars visible in cislunar space?

What exactly term 'companion plants' means?

If "dar" means "to give", what does "daros" mean?

Light propagating through a sound wave

I got the following comment from a reputed math journal. What does it mean?

In Aliens, how many people were on LV-426 before the Marines arrived​?

Why is there so much iron?

Variable completely messes up echoed string

What does "^L" mean in C?

Writing in a Christian voice

What does "Four-F." mean?

How is the partial sum of a geometric sequence calculated?

Print last inputted byte

Brake pads destroying wheels

Describing a chess game in a novel

Hausdorff dimension of the boundary of fibres of Lipschitz maps

How can an organ that provides biological immortality be unable to regenerate?

Using Past-Perfect interchangeably with the Past Continuous

What is the significance behind "40 days" that often appears in the Bible?

Generic TVP tradeoffs?



Is it insecure to send a password in a `curl` command?


Self-signed certificates and internal cURL requestsPHP get_file_contents & curlIs it safe to use .netrc files to store credentials for tools like curl or ftp?Is it possible to send a cURL request with SSL without the private key?Are there risks to allowing cURL from my machine?Unable to utilise curl commands on websiteExtra secure layer to cURL callsHow curl provided source code that the browser did not?Leveraging curl to spawn a shellCan cURL block a rogue CA?













20















Here’s an example request we can make to the GitHub API:



curl 'https://api.github.com/authorizations' --user "USERNAME"


This will prompt for the account password, to continue:



Enter host password for user 'USERNAME':


If we don’t want to get the prompt, we can provide the password at the same time as the username:



curl 'https://api.github.com/authorizations' --user "USERNAME:PASSWORD"


But is this method less secure? Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?






macosx curl







share|improve this question


























    20















    Here’s an example request we can make to the GitHub API:



    curl 'https://api.github.com/authorizations' --user "USERNAME"


    This will prompt for the account password, to continue:



    Enter host password for user 'USERNAME':


    If we don’t want to get the prompt, we can provide the password at the same time as the username:



    curl 'https://api.github.com/authorizations' --user "USERNAME:PASSWORD"


    But is this method less secure? Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?






    macosx curl







    share|improve this question
























      20












      20








      20


      3






      Here’s an example request we can make to the GitHub API:



      curl 'https://api.github.com/authorizations' --user "USERNAME"


      This will prompt for the account password, to continue:



      Enter host password for user 'USERNAME':


      If we don’t want to get the prompt, we can provide the password at the same time as the username:



      curl 'https://api.github.com/authorizations' --user "USERNAME:PASSWORD"


      But is this method less secure? Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?






      macosx curl







      share|improve this question














      Here’s an example request we can make to the GitHub API:



      curl 'https://api.github.com/authorizations' --user "USERNAME"


      This will prompt for the account password, to continue:



      Enter host password for user 'USERNAME':


      If we don’t want to get the prompt, we can provide the password at the same time as the username:



      curl 'https://api.github.com/authorizations' --user "USERNAME:PASSWORD"


      But is this method less secure? Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?






      macosx curl




      macosx curl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 2 days ago









      user137369user137369

      24017




      24017




















          3 Answers
          3






          active

          oldest

          votes


















          45














          Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



          Locally this might be less secure, because:



          • The password gets saved to the command history (~/.bash_history) as a part of the command, but this can be avoided by adding a space in front of the command before running it.

          • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

          • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.





          share|improve this answer




















          • 22





            And if on a shared system, it will usually be visible to others in ps and top and such, or by reading /proc/$pid/cmdline

            – dave_thompson_085
            yesterday






          • 1





            Then you must keep the script in a safe place. I'd recommend 700 permissions.

            – Esa Jokinen
            yesterday






          • 4





            to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

            – Anticom
            yesterday






          • 7





            This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

            – Stephen Touset
            yesterday






          • 1





            @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

            – Wildcard
            yesterday



















          5














          No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted.



          But as @Esa mentioned it is insecure locally. You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following,



          TCPDUMP



          [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst port 443 -XX


          TSHARK



          [root@arif]# tshark -O tls -f "tcp port 443" -f "ip src 192.168.1.1" -x





          share|improve this answer
































            3














            The best way to protect from local users is to use a ".netrc" file; the curl man page should have details and at least, if I recall, an example.






            share|improve this answer






















              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "162"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205479%2fis-it-insecure-to-send-a-password-in-a-curl-command%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              45














              Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



              Locally this might be less secure, because:



              • The password gets saved to the command history (~/.bash_history) as a part of the command, but this can be avoided by adding a space in front of the command before running it.

              • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

              • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.





              share|improve this answer




















              • 22





                And if on a shared system, it will usually be visible to others in ps and top and such, or by reading /proc/$pid/cmdline

                – dave_thompson_085
                yesterday






              • 1





                Then you must keep the script in a safe place. I'd recommend 700 permissions.

                – Esa Jokinen
                yesterday






              • 4





                to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

                – Anticom
                yesterday






              • 7





                This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

                – Stephen Touset
                yesterday






              • 1





                @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

                – Wildcard
                yesterday
















              45














              Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



              Locally this might be less secure, because:



              • The password gets saved to the command history (~/.bash_history) as a part of the command, but this can be avoided by adding a space in front of the command before running it.

              • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

              • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.





              share|improve this answer




















              • 22





                And if on a shared system, it will usually be visible to others in ps and top and such, or by reading /proc/$pid/cmdline

                – dave_thompson_085
                yesterday






              • 1





                Then you must keep the script in a safe place. I'd recommend 700 permissions.

                – Esa Jokinen
                yesterday






              • 4





                to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

                – Anticom
                yesterday






              • 7





                This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

                – Stephen Touset
                yesterday






              • 1





                @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

                – Wildcard
                yesterday














              45












              45








              45







              Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



              Locally this might be less secure, because:



              • The password gets saved to the command history (~/.bash_history) as a part of the command, but this can be avoided by adding a space in front of the command before running it.

              • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

              • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.





              share|improve this answer















              Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



              Locally this might be less secure, because:



              • The password gets saved to the command history (~/.bash_history) as a part of the command, but this can be avoided by adding a space in front of the command before running it.

              • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

              • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.






              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited yesterday

























              answered yesterday









              Esa JokinenEsa Jokinen

              2,9741119




              2,9741119







              • 22





                And if on a shared system, it will usually be visible to others in ps and top and such, or by reading /proc/$pid/cmdline

                – dave_thompson_085
                yesterday






              • 1





                Then you must keep the script in a safe place. I'd recommend 700 permissions.

                – Esa Jokinen
                yesterday






              • 4





                to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

                – Anticom
                yesterday






              • 7





                This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

                – Stephen Touset
                yesterday






              • 1





                @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

                – Wildcard
                yesterday













              • 22





                And if on a shared system, it will usually be visible to others in ps and top and such, or by reading /proc/$pid/cmdline

                – dave_thompson_085
                yesterday






              • 1





                Then you must keep the script in a safe place. I'd recommend 700 permissions.

                – Esa Jokinen
                yesterday






              • 4





                to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

                – Anticom
                yesterday






              • 7





                This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

                – Stephen Touset
                yesterday






              • 1





                @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

                – Wildcard
                yesterday








              22




              22





              And if on a shared system, it will usually be visible to others in ps and top and such, or by reading /proc/$pid/cmdline

              – dave_thompson_085
              yesterday





              And if on a shared system, it will usually be visible to others in ps and top and such, or by reading /proc/$pid/cmdline

              – dave_thompson_085
              yesterday




              1




              1





              Then you must keep the script in a safe place. I'd recommend 700 permissions.

              – Esa Jokinen
              yesterday





              Then you must keep the script in a safe place. I'd recommend 700 permissions.

              – Esa Jokinen
              yesterday




              4




              4





              to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

              – Anticom
              yesterday





              to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

              – Anticom
              yesterday




              7




              7





              This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

              – Stephen Touset
              yesterday





              This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

              – Stephen Touset
              yesterday




              1




              1





              @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

              – Wildcard
              yesterday






              @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

              – Wildcard
              yesterday














              5














              No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted.



              But as @Esa mentioned it is insecure locally. You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following,



              TCPDUMP



              [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst port 443 -XX


              TSHARK



              [root@arif]# tshark -O tls -f "tcp port 443" -f "ip src 192.168.1.1" -x





              share|improve this answer





























                5














                No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted.



                But as @Esa mentioned it is insecure locally. You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following,



                TCPDUMP



                [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst port 443 -XX


                TSHARK



                [root@arif]# tshark -O tls -f "tcp port 443" -f "ip src 192.168.1.1" -x





                share|improve this answer



























                  5












                  5








                  5







                  No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted.



                  But as @Esa mentioned it is insecure locally. You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following,



                  TCPDUMP



                  [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst port 443 -XX


                  TSHARK



                  [root@arif]# tshark -O tls -f "tcp port 443" -f "ip src 192.168.1.1" -x





                  share|improve this answer















                  No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted.



                  But as @Esa mentioned it is insecure locally. You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following,



                  TCPDUMP



                  [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst port 443 -XX


                  TSHARK



                  [root@arif]# tshark -O tls -f "tcp port 443" -f "ip src 192.168.1.1" -x






                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited yesterday

























                  answered yesterday









                  MuhammadMuhammad

                  725718




                  725718





















                      3














                      The best way to protect from local users is to use a ".netrc" file; the curl man page should have details and at least, if I recall, an example.






                      share|improve this answer



























                        3














                        The best way to protect from local users is to use a ".netrc" file; the curl man page should have details and at least, if I recall, an example.






                        share|improve this answer

























                          3












                          3








                          3







                          The best way to protect from local users is to use a ".netrc" file; the curl man page should have details and at least, if I recall, an example.






                          share|improve this answer













                          The best way to protect from local users is to use a ".netrc" file; the curl man page should have details and at least, if I recall, an example.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered yesterday









                          sitaramsitaram

                          792




                          792



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Information Security Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205479%2fis-it-insecure-to-send-a-password-in-a-curl-command%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              -

                              Popular posts from this blog

                              Adding axes to figuresAdding axes labels to LaTeX figuresLaTeX equivalent of ConTeXt buffersRotate a node but not its content: the case of the ellipse decorationHow to define the default vertical distance between nodes?TikZ scaling graphic and adjust node position and keep font sizeNumerical conditional within tikz keys?adding axes to shapesAlign axes across subfiguresAdding figures with a certain orderLine up nested tikz enviroments or how to get rid of themAdding axes labels to LaTeX figures

                              Image
                              Fear of getting stuck on one programming language / technology that is not used in my country Is there a single word describing earning money through any means? Why do we read the Megillah by night and by day? Pre-mixing cryogenic fuels and using only one fuel tank Is the U.S. Code copyrighted by the Government? Should I outline or discovery write my stories? What is this called? Old film camera viewer? Does the expansion of the universe explain why the universe doesn't collapse? Removing files under particular conditions (number of files, file age) Argument list too long when zipping large list of certain files in a folder When a Cleric spontaneously casts a Cure Light Wounds spell, will a Pearl of Power recover the original spell or Cure Light Wounds? Non-trope happy ending? Is it better practice to read straight from sheet music rather than memorize it? Do Legal Documents Require Signing In Standard Pen Colors? Does an advisor owe his/her student anyt
                              Read more

                              Tähtien Talli Jäsenet | Lähteet | NavigointivalikkoSuomen Hippos – Tähtien Talli

                              Image
                              RaviurheiluUrheilun kunniagalleriat Suomen HippoksenravihevostenLämminverisiäsuomenhevosiaSuomen raviurheilunBrad de Veluwe Tähtien Talli on vuonna 1995 perustettu Suomen Hippoksen ylläpitämä suomalaisten ravihevosten kunniagalleria. Tähtien Tallissa on toistaiseksi yhteensä 20 hevosta. Lämminverisiä galleriassa on kymmenen ja suomenhevosia kymmenen. Ulkomailla syntyneitä hevosia on mukana kolme. Vaikka Suomen raviurheilun perinteet ulottuvat jo 1800-luvun puolelle, painottuvat Tähtien Tallien valinnat viimeisten 20-30 vuoden aikana kilpailleisiin hevosiin. Viimeisin kunnianosoituksen saanut hevonen on Brad de Veluwe joka liitettiin Tähtien Talliin vuoden 2015 Ravigaalassa. Jäsenet | Reipas vuoden 1958 Kuninkuusraveissa Lahdessa. Passionate Kemp lämminveristen Suomen mestaruuden voittoloimi yllään. Hevonen Kilpailuvuodet Kasvattaja Valinta- vuosi Charme Asserdal 1975–1981 Erik Andersson 1995 Friendly Face 1986–1990 Robert M Mumma Estate 1995 Keystone Patriot 1980–1986 Max C. He
                              Read more

                              Do these cracks on my tires look bad? The Next CEO of Stack OverflowDry rot tire should I replace?Having to replace tiresFishtailed so easily? Bad tires? ABS?Filling the tires with something other than air, to avoid puncture hassles?Used Michelin tires safe to install?Do these tyre cracks necessitate replacement?Rumbling noise: tires or mechanicalIs it possible to fix noisy feathered tires?Are bad winter tires still better than summer tires in winter?Torque converter failure - Related to replacing only 2 tires?Why use snow tires on all 4 wheels on 2-wheel-drive cars?

                              Image
                              Small nick on power cord from an electric alarm clock, and copper wiring exposed but intact Why do we say “un seul M” and not “une seule M” even though M is a “consonne”? Read/write a pipe-delimited file line by line with some simple text manipulation Free fall ellipse or parabola? Why did the Drakh emissary look so blurred in S04:E11 "Lines of Communication"? A hang glider, sudden unexpected lift to 25,000 feet altitude, what could do this? Planeswalker Ability and Death Timing Which acid/base does a strong base/acid react when added to a buffer solution? Is the 21st century's idea of "freedom of speech" based on precedent? Shortening a title without changing its meaning Man transported from Alternate World into ours by a Neutrino Detector Is it reasonable to ask other researchers to send me their previous grant applications? Find a path from s to t using as few red nodes as possible What difference does it make matching a word with/wi
                              Read more