Is password filtered when sending params with curl?

Question

How secure is it, when you sending username and password with cURL --form or --data option? Compare to the browser form submitting, what's the difference between them?

For example, how is the following different to a browser form?

curl --from username=fred --form password=secret http://example.com

Answer 1

Curl emulates a browser, so over the network they're both the same, HTTP being insecure and HTTPS being mostly secure. The browser adds some extra headers that curl may not send by default, but it can be made to do so.

The problem with sending it using curl using that command is more local, if you're unlucky and someone runs ps (or the task manager) at the wrong moment, may see your command line, including the password.

Answer 2

Curl is using HTTP just like your browser. It is just as secure/insecure as sending a username and password with the browser. (Over HTTP, insecure, and over HTTPS, secure enough for most purposes.)

Now, there are subtleties. For example, if you are on a multiuser system, someone else may be able to look at the process table to see your password in plain text while you are running the command.

And it's possible that curl may not be as aggressive in warning you about SSL peculiarities (certificate wonkiness, weaker keys than you might like, etc.). I honestly don't know how much of a fuss curl makes in those situations.

But broadly and very generally speaking, it's identical to the browser.