HttpUtils: don't pass passwords as plain arguments

Passing passwords via command line arguments is insecure: anyone who
is able to read the process list on the system can read the passwords
as well.

For curl, we pass the password via stdin by using the --config option,
which allows us to pass arbitrary additional options via stdin.

Unfortunately, wget's --config option does not support - for stdin. So
we instead use the --input-file option to pass an URI with the password
via stdin.