[openssl-users] openssl shared libs

Ken Goldman kgoldman at us.ibm.com
Mon Jun 20 15:25:20 UTC 2016


Just one opinion:  If your attacker can replace the libraries, they have 
root access.  They can hook into the keyboard, replace your application, 
etc.  If they have root access, you've already lost.

OTOH, static link means that your application won't automatically get 
security updates.

On 6/20/2016 11:05 AM, Mirko Fit wrote:
>
> I've got some questions on the shared build of openssl.
> Is it safe to use the shared libraries libssl.so and libcrypto.so?
> Couldn't the shared libs be replaced by manipulated ones that intercept
> my calls and steal the passwords?
> I was wondering why every linux distrubutions comes with these shared
> libs if the scenario I described was possible.
>
> Thanks,
> Mirko
>




More information about the openssl-users mailing list