← Back to context

Comment by bob_roboto

8 years ago

Ultimately this probably helps increase the overall internet security. Although in recent years it was available from a TLS secured source [0], the putty.org site (which might or might not be operated by the maintainers) is still not https secured. Given that probably tens or hundreds of thousands downloaded it from there (imagine, getting an SSH client from an unknown source!) I'm surprised not more happened. Other than that, thanks for the great work maintaining this project which helped me and others a great deal throughout my career. Countless times have I been stranded on a Windows server and quickly needed an SSH client.

[0]https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.ht...

13 comments

bob_roboto

Reply
huhtenberg  8 years ago

Putty binaries are all signed, which is what you should be looking at when authenticating a release. Whether you fetch them over SSL is of little importance.

  • bob_roboto  8 years ago

    You are, of course, absolutely correct. And I hope this is what internal package maintainers in large companies and individuals using putty as their standard SSH client do. However, for many of us putty is a backup when they are not on their linux/osx machine and just quickly need an SSH client to do something. The workflow there is google->putty->first result->download->execute. You absolutely shouldn't, but we also shouldn't drink and sleep 8h a night :)

    • ultrafilter  8 years ago

      I put a copy of putty at a short but private url at my own domain so that I can get it over https.

  • icebraining  8 years ago

    How do you know the public key is correct?

    • xenophonf  8 years ago

      The level of assurance you get with a signing key downloaded over HTTP and one downloaded over HTTPS is roughly equivalent. Sure, HTTPS gives you a degree of protection from MitM attacks, but it won't stop attackers (whether criminals or militaries) from hacking the web server and changing both the software and the signing keys---after all, if one is possible, so is the other.

      3 replies →

  • kuschku  8 years ago

    That still allows an attacker to deliver you an older binary than you previously had installed — potentially one with major vulnerabilities.

    Signing doesn't prevent downgrade attacks, HTTPS does.