Is it insecure to send a password in a `curl` command?
Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.
Locally this might be less secure, because:
- The password gets saved to the command history (
~/.bash_history) as a part of the command. Note: This can be avoided by adding a space in front of the command before running it (provided you have the setting
- On a shared system, it will usually be visible to others in
topand such, or by reading
/proc/$pid/cmdline, for as long as the command is running.
- Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.
But is this method less secure?
No, it is not if you use
https. When you use
HTTPS your complete transaction will be encrypted. But as @Esa mentioned it is insecure locally which you can avoid adding a
space before your command so that the command will not be in your command history. If you are worried about exposing the command on the other users
ps than hardening
/proc would help you with that. Follow the link to enable hidepid.
curlsend all the data at once, or does it first setup a secure connection, and only then send the
curl doesn't send all the data at once. Like other
curl will initiate
SSL handshake before passing any data.
You can inspect how your data is transferred with
Wireshark like following, (after running
tcpdump/tshark, run the
[root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX
-i: for listening on a specific interface which is in this case
src host: Specifying source
dst host: Specifying destination
port: Specifying port
443which is the default for
SSLconnection. You can change according to your requirement.
XX: For showing header, packet contents and link level header in HEX and ASCII.
You will start to see
gibberish contents after a few packets. You also can
grep your password from the packet with the following command,
[root@arif]# tcpdump -li eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX | grep 'password'
If your password shows up there then your password did not get encrypted before transmission. Otherwise, you are okay.
[root@arif]# tshark -O tls "ip src 192.168.1.1 and ip dst 192.168.1.2" -x
-O: for mentioning protocol.
-x: for see packet contents.
grep your password with the above command too.
The best way to protect from local users is to use a ".netrc" file. The
curl man page should have details on how to use it.