Comment by kuschku
8 years ago
That still allows an attacker to deliver you an older binary than you previously had installed — potentially one with major vulnerabilities.
Signing doesn't prevent downgrade attacks, HTTPS does.
8 years ago
That still allows an attacker to deliver you an older binary than you previously had installed — potentially one with major vulnerabilities.
Signing doesn't prevent downgrade attacks, HTTPS does.
You would also look at the version number when you check the signature...
The signature is automatically verified by the system — when you open the installer, it either shows "unknown developer" or "PuTTY team" in the UAC dialog. Which is easy to verify.
Do you know the version of PuTTY you have installed without checking?