Is it insecure to send a password in a `curl` command?Self-signed certificates and internal cURL requestsPHP get_file_contents & curlIs it safe to use .netrc files to store credentials for tools like curl or ftp?Is it possible to send a cURL request with SSL without the private key?Are there risks to allowing cURL from my machine?Unable to utilise curl commands on websiteExtra secure layer to cURL callsHow curl provided source code that the browser did not?Leveraging curl to spawn a shellCan cURL block a rogue CA?

Is it improper etiquette to ask your opponent what his/her rating is before the game?

If a character with the Alert feat rolls a crit fail on their Perception check, are they surprised?

Find last 3 digits of this monster number

Do the concepts of IP address and network interface not belong to the same layer?

Would it be legal for a US State to ban exports of a natural resource?

Is there a conventional notation or name for the slip angle?

Engineer refusing to file/disclose patents

How should I respond when I lied about my education and the company finds out through background check?

Folder comparison

Transformation of random variables and joint distributions

How much character growth crosses the line into breaking the character

Is it possible to have a strip of cold climate in the middle of a planet?

Open a doc from terminal, but not by its name

How can Trident be so inexpensive? Will it orbit Triton or just do a (slow) flyby?

How to align and center standalone amsmath equations?

Drawing ramified coverings with tikz

Journal losing indexing services

Bob has never been a M before

How do I repair my stair bannister?

A social experiment. What is the worst that can happen?

How do you respond to a colleague from another team when they're wrongly expecting that you'll help them?

Difference between -| and |- in TikZ

Is camera lens focus an exact point or a range?

My friend sent me a screenshot of a transaction hash, but when I search for it I find divergent data. What happened?



Is it insecure to send a password in a `curl` command?


Self-signed certificates and internal cURL requestsPHP get_file_contents & curlIs it safe to use .netrc files to store credentials for tools like curl or ftp?Is it possible to send a cURL request with SSL without the private key?Are there risks to allowing cURL from my machine?Unable to utilise curl commands on websiteExtra secure layer to cURL callsHow curl provided source code that the browser did not?Leveraging curl to spawn a shellCan cURL block a rogue CA?













34















Here’s an example request we can make to the GitHub API:



curl 'https://api.github.com/authorizations' --user "USERNAME"


This will prompt for the account password, to continue:



Enter host password for user 'USERNAME':


If we don’t want to get the prompt, we can provide the password at the same time as the username:



curl 'https://api.github.com/authorizations' --user "USERNAME:PASSWORD"


But is this method less secure? Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?










share|improve this question


























    34















    Here’s an example request we can make to the GitHub API:



    curl 'https://api.github.com/authorizations' --user "USERNAME"


    This will prompt for the account password, to continue:



    Enter host password for user 'USERNAME':


    If we don’t want to get the prompt, we can provide the password at the same time as the username:



    curl 'https://api.github.com/authorizations' --user "USERNAME:PASSWORD"


    But is this method less secure? Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?










    share|improve this question
























      34












      34








      34


      5






      Here’s an example request we can make to the GitHub API:



      curl 'https://api.github.com/authorizations' --user "USERNAME"


      This will prompt for the account password, to continue:



      Enter host password for user 'USERNAME':


      If we don’t want to get the prompt, we can provide the password at the same time as the username:



      curl 'https://api.github.com/authorizations' --user "USERNAME:PASSWORD"


      But is this method less secure? Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?










      share|improve this question














      Here’s an example request we can make to the GitHub API:



      curl 'https://api.github.com/authorizations' --user "USERNAME"


      This will prompt for the account password, to continue:



      Enter host password for user 'USERNAME':


      If we don’t want to get the prompt, we can provide the password at the same time as the username:



      curl 'https://api.github.com/authorizations' --user "USERNAME:PASSWORD"


      But is this method less secure? Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?







      macosx curl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 16 at 4:13









      user137369user137369

      31337




      31337




















          3 Answers
          3






          active

          oldest

          votes


















          71














          Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



          Locally this might be less secure, because:



          • The password gets saved to the command history (~/.bash_history) as a part of the command. Note: This can be avoided by adding a space in front of the command before running it (provided you have the setting ignorespace in variable HISTCONTROL).

          • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

          • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.





          share|improve this answer




















          • 1





            Then you must keep the script in a safe place. I'd recommend 700 permissions.

            – Esa Jokinen
            Mar 16 at 12:40






          • 7





            to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

            – Anticom
            Mar 16 at 15:04






          • 8





            This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

            – Stephen Touset
            Mar 16 at 17:26






          • 4





            @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

            – Wildcard
            Mar 16 at 19:52







          • 1





            @dave_thompson_085 see my comment above. It is actually usually NOT visible in the places you mention, although there is a tiny race condition window where it may be.

            – Wildcard
            Mar 16 at 19:57


















          6















          But is this method less secure?




          No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted. But as @Esa mentioned it is insecure locally which you can avoid adding a space before your command so that the command will not be in your command history. If you are worried about exposing the command on the other users ps than hardening /proc would help you with that. Follow the link to enable hidepid.




          Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?




          No curl doesn't send all the data at once. Like other SSL/TLS connection, curl will initiate SSL handshake before passing any data.



          You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following, (after running tcpdump/tshark, run the curl command)



          TCPDUMP



          [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX


          Where,




          • -i: for listening on a specific interface which is in this case eth0


          • src host : Specifying source ip address


          • dst host : Specifying destination ip address


          • port: Specifying port 443 which is the default for SSL connection. You can change according to your requirement.


          • XX: For showing header, packet contents and link level header in HEX and ASCII.

          You will start to see gibberish contents after a few packets. You also can grep your password from the packet with the following command,



          [root@arif]# tcpdump -li eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX | grep 'password'


          If your password shows up there then your password did not get encrypted before transmission. Otherwise, you are okay.



          TSHARK



          [root@arif]# tshark -O tls "ip src 192.168.1.1 and ip dst 192.168.1.2" -x


          Where,




          • -O: for mentioning protocol.


          • -x: for see packet contents.

          you can grep your password with the above command too.






          share|improve this answer
































            3














            The best way to protect from local users is to use a ".netrc" file. The curl man page should have details on how to use it.






            share|improve this answer
























              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "162"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205479%2fis-it-insecure-to-send-a-password-in-a-curl-command%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              71














              Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



              Locally this might be less secure, because:



              • The password gets saved to the command history (~/.bash_history) as a part of the command. Note: This can be avoided by adding a space in front of the command before running it (provided you have the setting ignorespace in variable HISTCONTROL).

              • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

              • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.





              share|improve this answer




















              • 1





                Then you must keep the script in a safe place. I'd recommend 700 permissions.

                – Esa Jokinen
                Mar 16 at 12:40






              • 7





                to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

                – Anticom
                Mar 16 at 15:04






              • 8





                This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

                – Stephen Touset
                Mar 16 at 17:26






              • 4





                @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

                – Wildcard
                Mar 16 at 19:52







              • 1





                @dave_thompson_085 see my comment above. It is actually usually NOT visible in the places you mention, although there is a tiny race condition window where it may be.

                – Wildcard
                Mar 16 at 19:57















              71














              Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



              Locally this might be less secure, because:



              • The password gets saved to the command history (~/.bash_history) as a part of the command. Note: This can be avoided by adding a space in front of the command before running it (provided you have the setting ignorespace in variable HISTCONTROL).

              • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

              • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.





              share|improve this answer




















              • 1





                Then you must keep the script in a safe place. I'd recommend 700 permissions.

                – Esa Jokinen
                Mar 16 at 12:40






              • 7





                to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

                – Anticom
                Mar 16 at 15:04






              • 8





                This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

                – Stephen Touset
                Mar 16 at 17:26






              • 4





                @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

                – Wildcard
                Mar 16 at 19:52







              • 1





                @dave_thompson_085 see my comment above. It is actually usually NOT visible in the places you mention, although there is a tiny race condition window where it may be.

                – Wildcard
                Mar 16 at 19:57













              71












              71








              71







              Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



              Locally this might be less secure, because:



              • The password gets saved to the command history (~/.bash_history) as a part of the command. Note: This can be avoided by adding a space in front of the command before running it (provided you have the setting ignorespace in variable HISTCONTROL).

              • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

              • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.





              share|improve this answer















              Regarding the connection there's no difference: the TLS is negotiated first and the HTTP request is secured by the TLS.



              Locally this might be less secure, because:



              • The password gets saved to the command history (~/.bash_history) as a part of the command. Note: This can be avoided by adding a space in front of the command before running it (provided you have the setting ignorespace in variable HISTCONTROL).

              • On a shared system, it will usually be visible to others in ps, top and such, or by reading /proc/$pid/cmdline, for as long as the command is running.

              • Storing the password unsecured in a script might pose a security risk, depending on where the script itself is stored.






              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Mar 18 at 9:27









              sleske

              1,262918




              1,262918










              answered Mar 16 at 5:31









              Esa JokinenEsa Jokinen

              3,2841119




              3,2841119







              • 1





                Then you must keep the script in a safe place. I'd recommend 700 permissions.

                – Esa Jokinen
                Mar 16 at 12:40






              • 7





                to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

                – Anticom
                Mar 16 at 15:04






              • 8





                This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

                – Stephen Touset
                Mar 16 at 17:26






              • 4





                @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

                – Wildcard
                Mar 16 at 19:52







              • 1





                @dave_thompson_085 see my comment above. It is actually usually NOT visible in the places you mention, although there is a tiny race condition window where it may be.

                – Wildcard
                Mar 16 at 19:57












              • 1





                Then you must keep the script in a safe place. I'd recommend 700 permissions.

                – Esa Jokinen
                Mar 16 at 12:40






              • 7





                to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

                – Anticom
                Mar 16 at 15:04






              • 8





                This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

                – Stephen Touset
                Mar 16 at 17:26






              • 4





                @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

                – Wildcard
                Mar 16 at 19:52







              • 1





                @dave_thompson_085 see my comment above. It is actually usually NOT visible in the places you mention, although there is a tiny race condition window where it may be.

                – Wildcard
                Mar 16 at 19:57







              1




              1





              Then you must keep the script in a safe place. I'd recommend 700 permissions.

              – Esa Jokinen
              Mar 16 at 12:40





              Then you must keep the script in a safe place. I'd recommend 700 permissions.

              – Esa Jokinen
              Mar 16 at 12:40




              7




              7





              to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

              – Anticom
              Mar 16 at 15:04





              to solve the issue with .bash_history you could just prepend a space in front of your command. This way it doesn't get saved to history. (further info over here: unix.stackexchange.com/questions/115917/… )

              – Anticom
              Mar 16 at 15:04




              8




              8





              This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

              – Stephen Touset
              Mar 16 at 17:26





              This doesn't solve the /proc/$pid/cmdline issue (e.g., it showing up in ps output). If there are multiple users on a system, this is a great way to accidentally disclose a password.

              – Stephen Touset
              Mar 16 at 17:26




              4




              4





              @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

              – Wildcard
              Mar 16 at 19:52






              @StephenTouset check here: unix.stackexchange.com/q/385339/135943. Curl password arguments do NOT appear in ps output, except possibly for a minuscule (and hard to demonstrate) time period after the curl command is invoked. Should not be relied on entirely for security but it’s pretty effective.

              – Wildcard
              Mar 16 at 19:52





              1




              1





              @dave_thompson_085 see my comment above. It is actually usually NOT visible in the places you mention, although there is a tiny race condition window where it may be.

              – Wildcard
              Mar 16 at 19:57





              @dave_thompson_085 see my comment above. It is actually usually NOT visible in the places you mention, although there is a tiny race condition window where it may be.

              – Wildcard
              Mar 16 at 19:57













              6















              But is this method less secure?




              No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted. But as @Esa mentioned it is insecure locally which you can avoid adding a space before your command so that the command will not be in your command history. If you are worried about exposing the command on the other users ps than hardening /proc would help you with that. Follow the link to enable hidepid.




              Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?




              No curl doesn't send all the data at once. Like other SSL/TLS connection, curl will initiate SSL handshake before passing any data.



              You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following, (after running tcpdump/tshark, run the curl command)



              TCPDUMP



              [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX


              Where,




              • -i: for listening on a specific interface which is in this case eth0


              • src host : Specifying source ip address


              • dst host : Specifying destination ip address


              • port: Specifying port 443 which is the default for SSL connection. You can change according to your requirement.


              • XX: For showing header, packet contents and link level header in HEX and ASCII.

              You will start to see gibberish contents after a few packets. You also can grep your password from the packet with the following command,



              [root@arif]# tcpdump -li eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX | grep 'password'


              If your password shows up there then your password did not get encrypted before transmission. Otherwise, you are okay.



              TSHARK



              [root@arif]# tshark -O tls "ip src 192.168.1.1 and ip dst 192.168.1.2" -x


              Where,




              • -O: for mentioning protocol.


              • -x: for see packet contents.

              you can grep your password with the above command too.






              share|improve this answer





























                6















                But is this method less secure?




                No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted. But as @Esa mentioned it is insecure locally which you can avoid adding a space before your command so that the command will not be in your command history. If you are worried about exposing the command on the other users ps than hardening /proc would help you with that. Follow the link to enable hidepid.




                Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?




                No curl doesn't send all the data at once. Like other SSL/TLS connection, curl will initiate SSL handshake before passing any data.



                You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following, (after running tcpdump/tshark, run the curl command)



                TCPDUMP



                [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX


                Where,




                • -i: for listening on a specific interface which is in this case eth0


                • src host : Specifying source ip address


                • dst host : Specifying destination ip address


                • port: Specifying port 443 which is the default for SSL connection. You can change according to your requirement.


                • XX: For showing header, packet contents and link level header in HEX and ASCII.

                You will start to see gibberish contents after a few packets. You also can grep your password from the packet with the following command,



                [root@arif]# tcpdump -li eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX | grep 'password'


                If your password shows up there then your password did not get encrypted before transmission. Otherwise, you are okay.



                TSHARK



                [root@arif]# tshark -O tls "ip src 192.168.1.1 and ip dst 192.168.1.2" -x


                Where,




                • -O: for mentioning protocol.


                • -x: for see packet contents.

                you can grep your password with the above command too.






                share|improve this answer



























                  6












                  6








                  6








                  But is this method less secure?




                  No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted. But as @Esa mentioned it is insecure locally which you can avoid adding a space before your command so that the command will not be in your command history. If you are worried about exposing the command on the other users ps than hardening /proc would help you with that. Follow the link to enable hidepid.




                  Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?




                  No curl doesn't send all the data at once. Like other SSL/TLS connection, curl will initiate SSL handshake before passing any data.



                  You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following, (after running tcpdump/tshark, run the curl command)



                  TCPDUMP



                  [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX


                  Where,




                  • -i: for listening on a specific interface which is in this case eth0


                  • src host : Specifying source ip address


                  • dst host : Specifying destination ip address


                  • port: Specifying port 443 which is the default for SSL connection. You can change according to your requirement.


                  • XX: For showing header, packet contents and link level header in HEX and ASCII.

                  You will start to see gibberish contents after a few packets. You also can grep your password from the packet with the following command,



                  [root@arif]# tcpdump -li eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX | grep 'password'


                  If your password shows up there then your password did not get encrypted before transmission. Otherwise, you are okay.



                  TSHARK



                  [root@arif]# tshark -O tls "ip src 192.168.1.1 and ip dst 192.168.1.2" -x


                  Where,




                  • -O: for mentioning protocol.


                  • -x: for see packet contents.

                  you can grep your password with the above command too.






                  share|improve this answer
















                  But is this method less secure?




                  No, it is not if you use https. When you use HTTPS your complete transaction will be encrypted. But as @Esa mentioned it is insecure locally which you can avoid adding a space before your command so that the command will not be in your command history. If you are worried about exposing the command on the other users ps than hardening /proc would help you with that. Follow the link to enable hidepid.




                  Does curl send all the data at once, or does it first setup a secure connection, and only then send the USERNAME and PASSWORD?




                  No curl doesn't send all the data at once. Like other SSL/TLS connection, curl will initiate SSL handshake before passing any data.



                  You can inspect how your data is transferred with tcpdump, tshark or Wireshark like following, (after running tcpdump/tshark, run the curl command)



                  TCPDUMP



                  [root@arif]# tcpdump -i eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX


                  Where,




                  • -i: for listening on a specific interface which is in this case eth0


                  • src host : Specifying source ip address


                  • dst host : Specifying destination ip address


                  • port: Specifying port 443 which is the default for SSL connection. You can change according to your requirement.


                  • XX: For showing header, packet contents and link level header in HEX and ASCII.

                  You will start to see gibberish contents after a few packets. You also can grep your password from the packet with the following command,



                  [root@arif]# tcpdump -li eth0 -n src host 192.168.1.1 and dst host 192.168.1.2 and port 443 -XX | grep 'password'


                  If your password shows up there then your password did not get encrypted before transmission. Otherwise, you are okay.



                  TSHARK



                  [root@arif]# tshark -O tls "ip src 192.168.1.1 and ip dst 192.168.1.2" -x


                  Where,




                  • -O: for mentioning protocol.


                  • -x: for see packet contents.

                  you can grep your password with the above command too.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Mar 18 at 21:49

























                  answered Mar 16 at 8:24









                  MuhammadMuhammad

                  743718




                  743718





















                      3














                      The best way to protect from local users is to use a ".netrc" file. The curl man page should have details on how to use it.






                      share|improve this answer





























                        3














                        The best way to protect from local users is to use a ".netrc" file. The curl man page should have details on how to use it.






                        share|improve this answer



























                          3












                          3








                          3







                          The best way to protect from local users is to use a ".netrc" file. The curl man page should have details on how to use it.






                          share|improve this answer















                          The best way to protect from local users is to use a ".netrc" file. The curl man page should have details on how to use it.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Mar 18 at 12:02









                          schroeder

                          77.9k30173209




                          77.9k30173209










                          answered Mar 16 at 17:15









                          sitaramsitaram

                          792




                          792



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Information Security Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205479%2fis-it-insecure-to-send-a-password-in-a-curl-command%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              How should I support this large drywall patch? Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?How do I cover large gaps in drywall?How do I keep drywall around a patch from crumbling?Can I glue a second layer of drywall?How to patch long strip on drywall?Large drywall patch: how to avoid bulging seams?Drywall Mesh Patch vs. Bulge? To remove or not to remove?How to fix this drywall job?Prep drywall before backsplashWhat's the best way to fix this horrible drywall patch job?Drywall patching using 3M Patch Plus Primer

                              random experiment with two different functions on unit interval Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern)Random variable and probability space notionsRandom Walk with EdgesFinding functions where the increase over a random interval is Poisson distributedNumber of days until dayCan an observed event in fact be of zero probability?Unit random processmodels of coins and uniform distributionHow to get the number of successes given $n$ trials , probability $P$ and a random variable $X$Absorbing Markov chain in a computer. Is “almost every” turned into always convergence in computer executions?Stopped random walk is not uniformly integrable

                              Lowndes Grove History Architecture References Navigation menu32°48′6″N 79°57′58″W / 32.80167°N 79.96611°W / 32.80167; -79.9661132°48′6″N 79°57′58″W / 32.80167°N 79.96611°W / 32.80167; -79.9661178002500"National Register Information System"Historic houses of South Carolina"Lowndes Grove""+32° 48' 6.00", −79° 57' 58.00""Lowndes Grove, Charleston County (260 St. Margaret St., Charleston)""Lowndes Grove"The Charleston ExpositionIt Happened in South Carolina"Lowndes Grove (House), Saint Margaret Street & Sixth Avenue, Charleston, Charleston County, SC(Photographs)"Plantations of the Carolina Low Countrye