

PuTTY 0.64 released, fixing a security hole - xrstf
http://www.chiark.greenend.org.uk/~sgtatham/putty/

======
leni536
Kind of off topic:

Is there a secure way to download PuTTY? They are hosting on a http page.
Though they provide RSA and DSA signatures how would I verify the signatures
themselves? I'm kind of new to walking through trust paths. I don't even have
any entry point too since nobody I know use public key encryption (I trust the
Debian keys already though since I use their distro, maybe I can use that for
a starting point?).

My best bet would be to download the signatures and keys from different
mirrors and sources to limit the possibility of a successful targeted MITM
attack.

~~~
286c8cb04bda
_> Though they provide RSA and DSA signatures how would I verify the
signatures themselves?_

Ideally, it goes something like this --

1\. Start with the master keys. Download them from their website & import them
into your keyring.

2\. Fetch signatures for those keys from some key servers. (E.g. gpg --recv-
keys 6A93B34E).

3\. Examine the signatures (E.g. gpg --list-sigs 6A93B34E). Do you trust
anybody in that list to have verified the ownership of the keys?

If "yes", then import the release keys and verify that _they_ have been signed
by the master keys. You can use the release keys to verify the downloaded
binary.

If "no", then you might recurse down those keys to see if you know anyone who
signed any of _them_. At this point, you'll need to consider very carefully
what your trust policy is going to be.

~~~
leni536
> _3\. Examine the signatures (E.g. gpg --list-sigs 6A93B34E). Do you trust
> anybody in that list to have verified the ownership of the keys?_

Well what if I don't know if I can trust them. Also I couldn't possibly verify
them in person so I need to recursively walk through the signing keys to find
a trusted signature. Isn't there an easy cli command for this? All I could
find are online path finders.

~~~
yungchin
Easy it's not, but since you trust the debian keys already, you could import
keys from the debian-keyring - I'm sure there's a path from those to the putty
maintainers'. Here's a somewhat detailed description I just found, for how to
do such a thing
[https://tails.boum.org/doc/get/trusting_tails_signing_key/in...](https://tails.boum.org/doc/get/trusting_tails_signing_key/index.en.html#index3h1)

------
josteink
I used to be a huge PuTTY (or derative) user, but recently, I've switched to
just using the normal OpenSSH command-line client within Cygwin and ConEmu.

While PuTTY is nice, it lacks some features, like proxycommands and stuff
which are standard in ~/.ssh/config. Things which can be taken along in a
simple & portable fashion.

No disrespect to PuTTY, but I just found myself not really needing it anymore.

~~~
el_duderino
I prefer XShell5.

[http://www.netsarang.com/products/xsh_overview.html](http://www.netsarang.com/products/xsh_overview.html)

~~~
skrowl
Nice try, XShell employee.

I doubt that anyone is going to take $90/year closed source payware over well
known FOSS like OpenSSH or PuTTY here at HN.

------
nothrabannosir
Another security hole of PuTTY is downloads being served over non-SSL.

I should know better and check the sigs using PGP and checksums, but on
Windows this is such a drag that I just end up whispering hallelujah praise
the Lord, and hoping for the best.

I know it's my fault, but I'd still like SSL :(

~~~
xrstf
> but on Windows this is such a drag that

Get the keybase.io client, it sets up your GPG pretty nicely. I was able to
confirm the downloads on Windows using the standard ``gpg --verify
putty.DSA.asc`` and it just worked(tm) in a cmd.exe window. Using the keybase
client does not, however, as the signing key for the putty binaries is not on
keybase.

Not saying anything about how much sense it makes to verify the downloads,
just saying that it does work well on Windows, without any cygwin, mingw or
whatever.

~~~
nothrabannosir
Thank you for the howto, I'll give this a try next time. Looks much more
approachable than I feared.

------
nodata
It would have been better if the 0.64 release had been pulled, the fixed 0.64
release should have been named 0.65.

------
tapirl
The official git client for windows support ssl, openssl, scp, ... , much more
powerful than putty.

~~~
falcolas
Do you have a workaround for having to run them in a `cmd` or `powershell`
window? Those are worse than the old terminals in many cases.

~~~
josteink
ConEmu, MinTTY or similar terminals.

------
pbowyer
Do you know a SSH client that can share configs cross-platform? So I can
define my connections once, and use on Windows/OSX/*nix?

~~~
iso8859-1
OpenSSH does this, no? Just use it in Cygwin.

