> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Salz, Rich
> Sent: Thursday, June 23, 2016 06:14
> To: openssl-users@openssl.org
> Cc: Dominik Straßer
> Subject: Re: [openssl-users] openssl shared libs
>
Mirko Fit (mirko@onespin.com
: [openssl-users] openssl shared libs
> Now my company is (T) and we don't want to leak (V)'s session key.
> You may assume that our binary is protected state of the art agains debugger
> attacks and stuff.
> So the only question is if the shared openssl library makes the tool more
> Now my company is (T) and we don't want to leak (V)'s session key.
> You may assume that our binary is protected state of the art agains debugger
> attacks and stuff.
> So the only question is if the shared openssl library makes the tool more
> vulnerable?
You cannot prevent someone from
: [openssl-users] openssl shared libs
I meant the easy way of replacing a shared lib (no need to be root):
> LD_LIBRARY_PATH=/path/to/modified/shared/lib:$LD_LIBRARY_PATH
> my_tool
What's the attack tree look like for this case, under your threat model?
Here you're talking about users r
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Mirko Fit
> Sent: Monday, June 20, 2016 09:36
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] openssl shared libs
>
> I meant the easy way of replacing a shared li
I meant the easy way of replacing a shared lib (no need to be root):
> LD_LIBRARY_PATH=/path/to/modified/shared/lib:$LD_LIBRARY_PATH
> my_tool
Am 20.06.2016 um 17:25 schrieb Ken Goldman:
Just one opinion: If your attacker can replace the libraries, they
have root access. They can hook into
Just one opinion: If your attacker can replace the libraries, they have
root access. They can hook into the keyboard, replace your application,
etc. If they have root access, you've already lost.
OTOH, static link means that your application won't automatically get
security updates.
On
Hi,
I've got some questions on the shared build of openssl.
Is it safe to use the shared libraries libssl.so and libcrypto.so?
Couldn't the shared libs be replaced by manipulated ones that intercept
my calls and steal the passwords?
I was wondering why every linux distrubutions comes with these