[openssl-users] openssl shared libs
Mirko Fit
mirko.fit at onespin.com
Mon Jun 20 15:36:03 UTC 2016
I meant the easy way of replacing a shared lib (no need to be root):
> LD_LIBRARY_PATH=/path/to/modified/shared/lib:$LD_LIBRARY_PATH
> my_tool
Am 20.06.2016 um 17:25 schrieb Ken Goldman:
> Just one opinion: If your attacker can replace the libraries, they
> have root access. They can hook into the keyboard, replace your
> application, etc. If they have root access, you've already lost.
>
> OTOH, static link means that your application won't automatically get
> security updates.
>
> On 6/20/2016 11:05 AM, Mirko Fit wrote:
>>
>> I've got some questions on the shared build of openssl.
>> Is it safe to use the shared libraries libssl.so and libcrypto.so?
>> Couldn't the shared libs be replaced by manipulated ones that intercept
>> my calls and steal the passwords?
>> I was wondering why every linux distrubutions comes with these shared
>> libs if the scenario I described was possible.
>>
>> Thanks,
>> Mirko
>>
>
>
More information about the openssl-users
mailing list