[openssl-users] openssl shared libs

Mirko Fit mirko.fit at onespin.com
Mon Jun 20 15:36:03 UTC 2016

I meant the easy way of replacing a shared lib (no need to be root):
 > LD_LIBRARY_PATH=/path/to/modified/shared/lib:$LD_LIBRARY_PATH
 > my_tool

Am 20.06.2016 um 17:25 schrieb Ken Goldman:
> Just one opinion:  If your attacker can replace the libraries, they 
> have root access.  They can hook into the keyboard, replace your 
> application, etc.  If they have root access, you've already lost.
> OTOH, static link means that your application won't automatically get 
> security updates.
> On 6/20/2016 11:05 AM, Mirko Fit wrote:
>> I've got some questions on the shared build of openssl.
>> Is it safe to use the shared libraries libssl.so and libcrypto.so?
>> Couldn't the shared libs be replaced by manipulated ones that intercept
>> my calls and steal the passwords?
>> I was wondering why every linux distrubutions comes with these shared
>> libs if the scenario I described was possible.
>> Thanks,
>> Mirko

More information about the openssl-users mailing list