
Downloading Software Safely Is Nearly Impossible - danielsiders
http://noncombatant.org/2014/03/03/downloading-software-safely-is-nearly-impossible/
======
kefka
The problem is much worse than this contrived 'I cant download PuTTY
securely'. Lets choose an example, of which I have had my hands in with my
tech support job.

 __* Goal: "Download Firefox"

First, the user was using IE. And the user is not a tech savvy user (as in,
cannot read words on the screen). Turns out, the user's computer was infested
with spyware and garbageware. Mainly Conduit and others.

Evidently, user "searched" for firefox rather than follow my directions to
type in the address bar [https://www.mozilla.org](https://www.mozilla.org) .
This behavior lead him here:
[http://firefox.en.softonic.com/](http://firefox.en.softonic.com/)

Normally, I would use a remote support tool and just do the cleaning for the
user. However, this client comes from another area in which we are not allowed
to use the remote support tool.

In the end, I tried to have user uninstall the bad-firefox, and attempt to
install the good, but the softonic installer installs a ton of crap
everywhere. User got very frustrated and hung up when having him read the
uninstall programs installed list. __*

That is the danger to most users, running Windows.

EDIT: For the user whom penalized my comment score, why?

~~~
raverbashing
Exactly

Dealing with Windows nowadays is akin to cleaning a septic tank. I wish I was
kidding

I'm thinking someone should build a (Linux or other *IX) that scans the HD of
an infected machine (booted with this distro or the HD was removed and put on
another machine) to scan and remove everything. Working directly on Windows is
impossible

~~~
ctrijueque
>I'm thinking someone should build a (Linux or other *IX) that scans the HD of
an infected machine (booted with this distro or the HD was removed and put on
another machine) to scan and remove everything.

Kaspersky did it.

[http://support.kaspersky.com/viruses/rescuedisk](http://support.kaspersky.com/viruses/rescuedisk)

~~~
blueblob
Also bitdefender:
[http://download.bitdefender.com/rescue_cd/2013/](http://download.bitdefender.com/rescue_cd/2013/)

and AVG: [http://www.avg.com/us-en/download.prd-arl](http://www.avg.com/us-
en/download.prd-arl)

although I am not sure if they are linux based.

~~~
jethro_tell
They are. I've used the kaspersky and AGV live disks. It's nice because you
boot up and you can download new definitions without something hogging your
bandwidth and clicking through a bunch of popups or what ever.

------
throwaway812
If you think you're safe: it's the same thing with Linux. Yes, good distros
sign their blobs and you can probably verify that with builtin tools.

However, consider how distros generate their signed binaries:

1) A packager downloads a random tarball off the internet, often over HTTP
and/or unsigned and unverified.

2) The packager uploads the same tarball to the distro build system (you trust
them, right?)

3) The packager's script for building the program or library is executed by
the build server (you trust all of the packagers, right? they have implicit
root access to your machine during pkg install.)

4) The packager's script likely invokes `./configure` or similar. Now even if
you trust the packager, the downloaded source has arbitrary code execution.
You verified it, right???

(Not trying to advocate for webcrypto. And I'm a Linux user. But I'm also a
packager, and I have some awareness as to how one would go about pwning all
users of my distro.)

~~~
RyanZAG
Sure, but you have to trust someone. How do you know the baker you bought some
bread from didn't put hallucinogenic drugs into your bread this morning?

The key is to limit the number of people you trust and remove instances where
you mistakenly trust more people than you believe you do. When downloading a
.exe over http, you trust an unknown number of people working at each company
your packets hop over to reach the server. You are implicitly trusting each
and everyone of an unknown number of people with direct root access.

With a Linux distro this is different: you are trusting the distro and any
employees/volunteers of that distro. You trust that the distro is actively
vetting the people involved - or is at least in a position to publicly name
them if they break the trust of users, etc. Ultimately you do still have to
trust someone, though.

Debian, at least, has proven to be fairly trustworthy so far. Who has access
to ae-5.r23.londen03.uk.bb.gin.ntt.net and what do I do if they MITM my
traffic? EDIT: Any why can't they spell London correctly?

~~~
t0mas88
Londen is the Dutch spelling of London, so could be a network link maintained
by some Dutch provider?

~~~
cbhl
ntt.net is Japanese...

------
bcoates
It looks like Windows 8.1 is whitelisting PuTTY by hash or signature: nothing
to see here.

Repro steps (Windows 8.1, desktop IE 11 or Chrome 33):

1\. Download putty.exe from any shady source

2\. PuTTY runs without prompting

3\. go to mega.co.nz (an _extremely_ shady source), upload your copy of
putty.exe

4\. download it again

5\. this version of putty.exe also runs without prompting

6\. open your hex editor of choice, change a byte in a text string

7\. upload this tampered version of putty.exe to mega.co.nz

8\. download and run it

9\. observe full-screen modal red banner: "Windows Protected Your Computer"
requesting an Administrator password to run suspicious binaries.

~~~
ronaldx
If almost all binaries are treated by Windows as suspicious (in general: if
there's a whitelist), then a request for an administrator password will be
unconsciously and automatically given.

~~~
MAGZine
I think a giant red banner to an experienced user (someone installing SSH on
Windows) will cause pause to any user who needs to care about this sort of
thing

------
bad_user
Before reading the article, I wanted to write a rant on why the TFA is wrong,
based solely on the title :-) ALAS, I was wrong, especially because I
downloaded Putty myself from putty.org, whenever I happened to play with
Windows machines, without thinking once that putty.org is not the official
source. And I'm a very security conscious user and if I can't protect myself,
then normal users don't stand a chance.

Just a note - PGP signing renders HTTPS useless for downloading the binaries
themselves and works by establishing a chain of trust, the problem is with
distributing the public key. It's the public key that must be distributed
either over HTTPS and/or through a public key server, letting other users
digitally sign your certificate and thus endorse the association of this
public key - a system that works great for popular repositories of software
(e.g. Debian), in which the participating developers/maintainers know each
other. Once the authenticity of the public key is correctly established,
there's no way for an attacker to create/forge the signed binary, unless said
attacker gets ahold of the private key, which is way more difficult than
hacking a web server, as normally private keys don't end up on those servers
(so it is more secure than HTTPS). For example, in Ubuntu if you're willing to
install packages from PPAs of third-parties, you first need to indicate that
you trust the public key with which those packages were signed, otherwise apt-
get will refuse to install said packages.

A reasonable alternative to PGP signing is S/MIME signing, which is more user-
friendly, as it doesn't involve the users vetting scheme, but rather
certificates are issued by a certificate authority, just like with HTTPS/SSL.
S/MIME is weaker against the NSA, but it does work well for signing stuff and
it's more user friendly, because to establish trust, you only have to trust
the certificate authority (and of course the developer).

Binaries on OS X are also distributed as signed with the developer's key and
OS X refuses to install unsigned binaries or binaries signed by unknown
developers, unless you force it to. And while I have mixed feelings about the
App Store direction in which Apple is taking OS X, I've began to like this
restriction, in spite of the money you have to pay yearly to register as a
developer (as long as you can download signed binaries straight from the
Internet and thus not completely locked into Apple's walled garden, it's all
good). Signing binaries and having a user-friendly way to establish trust in
the used signing key should be the norm in all operating systems.

~~~
josteink
> I was wrong, especially because I downloaded Putty myself from putty.org,
> whenever I happened to play with Windows machines, without thinking once
> that putty.org is not the official source.

If you had used duckduckgo, you would have known better:

[https://duckduckgo.com/PuTTY](https://duckduckgo.com/PuTTY)

Official site. It's one of my favourite DDG features. It's just weird how
Google doesn't have it.

~~~
bad_user
Here are Google's results for "putty" (first two links are the official
website):
[http://imgur.com/SVWJhmg,UV3UT1w#1](http://imgur.com/SVWJhmg,UV3UT1w#1) ;
Here are DuckDuck Go's results for "putty" (first link is putty.org, second is
the official source):
[http://imgur.com/SVWJhmg,UV3UT1w#0](http://imgur.com/SVWJhmg,UV3UT1w#0)

Granted, DDG does give better results for "windows ssh client".

I don't use DDG because it's awful for users not living in the US. I'm not
talking about the interface, but about local results. It also doesn't get the
context well - when I search for Ruby or Python on Google, I get different
results than my wife does ;-)

~~~
nitrogen
_Here are DuckDuck Go 's results for "putty" (first link is putty.org, second
is the official source):
[http://imgur.com/SVWJhmg,UV3UT1w#0*](http://imgur.com/SVWJhmg,UV3UT1w#0*)

That's weird; when I just tried ddg, the correct site was first and putty.org
was second.

------
dfc
_The moral is obvious. You can 't trust code that you did not totally create
yourself._ \-- Ken Thompson[^1]

[^1]: Reflections on Trusting Trust. ACM Turing Award Lecture, 1984,
[https://dl.acm.org/citation.cfm?id=358210](https://dl.acm.org/citation.cfm?id=358210)

~~~
larrys
That is about as helpful as telling people that they can't trust food that
they didn't grow themselves. Has no relevance in the modern world where
unfortunately you can't easily grow your own food. In other words pick your
poison and your battles.

~~~
dfc
Did you bother reading it? Did you get to this part:

 _To what extent should one trust a statement that a program is free of Trojan
horses? Perhaps it is more important to trust the people who wrote the
software._

~~~
larrys
I didn't read it.

My reaction was to the statement which I replied to. I would take that either
as a summary of the document or your conclusion on the document.

Is it necessary to only comment after a full reading and understanding of the
base document that someone is summarizing?

If someone pulls out a phrase "The press must learn that misguided use of a
computer is no more amazing than drunk driving of an automobile." (from the
same document) I think that stands on its own as worthy of replying back to
without seeing what else has been written that might clarify it. I don't think
this is cherry picking and pulling things out of context either.

~~~
einhverfr
First, I would expect that if someone like Ken Thompson says something like
this there is more to the comment than you are going to get from the blurb.
You really must read it.

Secondly, if you read it, you will recognize that what he is talking about is
a real issue, particularly in the post-Snowden era and is totally relevant to
the article. And his point really is that you can never be sure there isn't a
backdoor planted somewhere in your software _or hardware._ Even if you write
all the code yourself, it is still operating in an environment that you did
not build.

Understanding this problem at its root is the beginning of an understanding
into why depth is so important to IT security and why all our current
approaches at trusted binaries are inadequate at least on their own.

~~~
dfc
Reading three pages by Ken Thompson takes effort. Retweeting some Snowden meme
is easy.

What can you say to someone that thinks Ken Thompson has no relevance in the
modern world or thinks he does not need to read something in order to judge if
the one sentence he pulled out was taken out of context?

~~~
einhverfr
> What can you say to someone that thinks Ken Thompson has no relevance in the
> modern world or thinks he does not need to read something in order to judge
> if the one sentence he pulled out was taken out of context?

That those who do not understand UNIX (or history!) are destined to reinvent
it badly (shamelessly stealing from Harry Spencer).

------
api
I hate the "feudalization" direction that OSes are moving in -- requiring
certificates, app stores, etc. At the same time, I get why it's happening.

It really mirrors the historical reasons for feudalism in the real world. When
the Roman empire collapsed, people needed protection from marauding hordes. So
they cozied up to the nearest powerful group, forming kingdoms. People
tolerated the abuses of kings and nobility in exchange for protection from
anarchistic threats.

That's exactly what's happening to OSes: people are accepting feudalization in
exchange for protection from malware.

Unless we find ways to really empower the user here, it's only going to get
worse. We will end up with a fully feudal Internet.

------
moron4hire
I think the general message here that a lot of commenters are missing is that
the Right Thing is way to flipping hard to get right. The fact that PuTTy
itself is not distributed securely seems to underscore the fact that even
highly interested hobbiest have trouble getting it right. How can you expect
everyone to be secure when you expect them to be security experts to get
everything right?

Or in other words, despite clearly thinking they're the smartest people in the
room, security programmers are dumber than shit when it comes to actually
making it possible to use their software.

------
lmm
Downloading software safely is nearly impossible _on windows_. Probably
because there's no demand for it - people who care about security don't use
windows. PuTTY is one guy's hobbyist project.

(If you insist on using windows, what about downloading SUA from microsoft
themselves? That way you get a working SSH client without trusting anyone you
weren't already trusting)

~~~
astrodust
The very fact that you _need_ to download Putty speaks to how ridiculously out
of date the Windows default tools are.

It's no wonder so many web developers use OS X or Linux.

~~~
smacktoward
Microsoft's big blunder is that they assume that "developer" is synonymous
with "Windows developer."

They have _excellent_ tools available for Windows developers. But step out of
that silo and man, just forget it. You have to fight your own system every
step of the way.

This is an example of a strategy tax
([http://scripting.com/davenet/2001/04/30/strategyTax.html](http://scripting.com/davenet/2001/04/30/strategyTax.html)):
Microsoft's strategy for a loooong time was to pretend like Windows was the
only thing that existed. When Windows was a majority monoculture, this worked
pretty well for them. But now that it's just one ecosystem among many, it
forces their developer-tools people to pull their punches so as to avoid
undercutting their Windows people.

------
m0dest
People complain that OS X requires apps to be signed by Apple (by default).
But in reality, it's the sanest solution to this problem.

When the OS enforces signature checking, you don't have to worry about whether
it was downloaded over HTTP or who owned the domain name.

~~~
davexunit
> But in reality, it's the sanest solution to this problem.

Absolutely not. It puts Apple in total control over user's software. You have
to place all of your trust in Apple that the binary you're running is actually
build from the source code it is supposed to be.

Now, over in the free digital world, this problem is being addressed sanely.
For example, NixOS and GNU Guix are tackling the issues of reproducible builds
and package signing that can use a distributed web of trust. This way, no one
has to trust a single company/entity or build machine. Debian is also after
reproducible builds.

~~~
dfc
This is a big thing for the Tor project:

[https://blog.torproject.org/blog/deterministic-builds-
part-o...](https://blog.torproject.org/blog/deterministic-builds-part-one-
cyberwar-and-global-compromise)

[https://blog.torproject.org/blog/deterministic-builds-
part-t...](https://blog.torproject.org/blog/deterministic-builds-part-two-
technical-details)

------
bphogan
One solution I advocate for is more widespread adoption of Chocolatey
([http://chocolatey.org](http://chocolatey.org)).

I can

cinst putty

and get what I need automatically.

Sure, I have to trust the maintainer, but you know, if more people used
Chocolatey to install packages, more people might be able to ensure it's safe.

It's not bulletproof but it sure is better than searching the web for the
right download.

~~~
zimbatm
From [https://chocolatey.org/install.ps1](https://chocolatey.org/install.ps1)
, which is fetched from the main install snippet, downloads Chocolatey over
plain HTTP.

~~~
konstruktor
Which is then executed in a PowerShell with -ExecutionPolicy unrestricted.

~~~
jongalloway2
There's an 80/20 thing here, though. Except more like 99.9/.1.

Yes, there is value in ensuring software is delivered without tampering direct
from a trusted source. But the main problem people are dealing with is finding
a trusted source for the install - one that actually delivers the software
they wanted, without malware, without a confusing installer. Chocolatey solves
the main problem pretty well. I can look at download counts, comments, and
repos to verify what the installer is doing. There's an active forum that
discusses problems or suggested improvements to packages.

It doesn't verify that there's no tampering along the way, but for most users
that's an absolutely miniscule problem compared with the "Google / Click Link
/ Install Wrong Program and/or Malware" system.

------
edwintorok
Correction for step#10: the Putty keys are on the MIT keyservers, just not
under Tatham's name, although they're only 1024-bit keys:
[http://pgp.mit.edu/pks/lookup?op=vindex&search=0xEF39CCC0B41...](http://pgp.mit.edu/pks/lookup?op=vindex&search=0xEF39CCC0B41CAE29)

------
wazooonrails
I challenge anyone to try and find a Minecraft mod without adware or spyware.
Conduit and AdFly are everywhere.

~~~
tokenizerrr
AdFly is not adware. It's an ads website that displays you some ads for a few
seconds before you can continue to a download, do not confuse it with adware.

~~~
dylz
Adfly is well known for being a malware distribution channel. Ads run on adfly
support flash/js/everyhting else and aren't vetted, nor do they have any form
of anti abuse.

------
userbinator
I hope that sometime in the near future, when everything has been locked-down
so much in the name of security that the situation becomes the exact opposite,
someone will write an article titled "Downloading Software Freely Is Nearly
Impossible". Don't get me wrong, I think security is a good thing, but I also
think there has to be a balance between that and freedom. One of the most
secure places to live in is a prison.

As the saying goes, "Those who sacrifice freedom for security deserve
neither."

------
RyanZAG
Ah! A trick question game. The correct answer is to wipe off Windows and
install Linux off your flash drive, right?

~~~
mavus
Where did you get that flash drive of Linux?

~~~
RyanZAG
From my Linux laptop? Or I guess I could have downloaded it using an Android
tablet and torrents and copied it to a usb stick. Is this one of those threads
where we keep asking 'and where did that come from?' until we reach the first
dollar earned from selling lemonade?

~~~
DanBC
> Is this one of those threads where we keep asking 'and where did that come
> from?'

At some point you have to trust someone. But who should you trust, and how
much should you trust them?

Most people do not think about that and so we live with an Internet where
privacy is almost impossible and most people just don't care about that.

~~~
cLeEOGPw
Either that or you could inspect every line of OS source code before compiling
and then inspect every machine code of compiler executable to make sure
compiler is not infected.

~~~
gizmo686
Instead of inspector your normal compiler's machine code, you can create a
small special purpose compiler to begin bootstrapping your main compiler from
source. Most compilers (including GCC I believe) are specifically designed so
that they can be bootstrapped from a relatively small subset of the language.
Additionally, you do not need to worry about producing an efficient executable
because you will only ever run the resulting program once.

However, there is also the risk that your host OS is compromised, in which
case it may simply lie to you and do whatever it wants.

~~~
cLeEOGPw
Even if you manage to guarantee OS and everything else safety, you still have
to trust your own sanity.

~~~
gizmo686
Don't worry, I confirmed my sanity last week. I think.

------
MichaelGG
I've become acutely aware of this over the past couple days. I'm setting up a
new a laptop, using VMs for all work. Getting VMware is easy - it's signed.
But from there? Things start sucking. I need to fix my "ThinkPad" fan and
trackpad (new ThinkPads don't actually have a middle button despite the dots
appearing like they are one) - gotta download unsigned blobs.

Since I want as little software installed on the host as possible, I'm going
to have to start a VM on something like Azure (easiest) with Visual Studio,
and build my own copies of these tools if possible. The culture of building
stuff on Windows is fairly weak, so I imagine I'll run into all sorts of
issues.

It's pretty embarrassing that Windows doesn't ship with a lightweight way of
creating "VMs" to increase security. Something like Sandboxie would be a
welcome piece of OS functionality.

The JS crypto comment is off-base. The discussion about JS crypto is that it's
pointless because it's only as strong as TLS - it doesn't provide anything
else, and it's very easy to get it wrong and get more damaged (due to ease of
XSS and whatnot). Sandboxed execution is a fantastic thing, and even MS tried
that with .NET and it's million code-access-security policies. And now
everyone does that with Android/Windows Store style permissions (although not
as fine grained).

------
PythonicAlpha
As much I understand, even HTTPS and its infrastructure has plenty of holes.

How was this, that some people broke into a signature authority and stole
master-keys -- so a huge number of keys where compromised. I don't know, if
that thing was repaired yet. Also there exist many authorities that give keys
to people without the simplest identity check. Such keys are a security risk
of its own.

I also don't know, how good (or bad) the key withdrawal mechanism is working
currently. I remember darkly (I am not current in these things) that there
existed some problems with existing browsers, infrastructure and so on ...

And even, when those things would work fine ... as much I know, there exist
holes in the implementation, depending which algo combination is used.

So there are so many attack vectors, that even in the best case (https works
fine and you have a domain that belongs to the correct author ... and you have
checksums ... and you check, if your browser tells you, that the certificate
is perfect (who in the internet age cares, when the browser says that the
certificate has some problem??) ...) there seems to be no security in the
internet age ....

(And I am not even speaking or thinking about governments spying on us all)

------
josteink
So basically he does a web search for "Windows ssh client" (generic seo
spammed terms) when he knows he wants putty (specific) and is surprised that
the official putty page is not the #1 hit.

I'd hardly call that a bulletproof argument.

------
jebblue
>> Note that, suddenly, Web Crypto is starting to look damn good

OK so we can also boot Linux in a browser, if you stick with it apparently you
can do just about anything in JavaScript if you're willing to spend the CPU
cycles to do it.

Why? ChromeBook as an example, why move everything into the browser so that
the OS is minimized or even removed, you're still going to face the same
software problems.

~~~
euank
He addresses that. The browser has a different security model than the OS.

The OS's model is based off of the user being the unit of security. If a user
runs a piece of software, that software can interact with all files owned by
the user. It can make web requests to anything.

The browser's model has the unit as the webpage, not the user. Each webpage is
sandboxed from others. If one webpage is malicious, in theory it cannot modify
users files or even other webpages.

The difference in model makes a malicious webpage significantly less scary
than a malicious program.

Your example, of running your whole OS in the browser, is unrealistic; in
reality you'll be running each piece of the OS in a different isolated tab.

This model can work since the web was built for each site to be independent
and self-contained... We've already gone too far down the rabbit-hole of
native programs being extremely powerful to easily fix that.

The OS might not be lost though. You can run scary software in a VM. You can
run each program in a separate chroot. Perhaps soon you could just spin up an
lxc (with docker perhaps) for each different program you want to run. These
methods of running software all basically transform the OS into using the
browser's model.

It's also worth mentioning that the browser model has inherent security flaws
for as long as it persists the executable on external servers; you have to
find a trusted channel to access the data everytime whereas the program only
has to be verified once after downloading.

~~~
jebblue
>> The browser's model has the unit as the webpage, not the user.

The user loses control, the user loses.

>> This model can work since the web was built for each site to be independent
and self-contained...

[https://developer.chrome.com/extensions/samples](https://developer.chrome.com/extensions/samples)
"Content Script Cross-Domain XMLHttpRequest Example"

>> whereas the program only has to be verified once after downloading.

Opening the door to hackers who find ways to infiltrate that program _after_
that check has been done.

------
msane
A challenge: what would the best remedies to this situation be? Should we be
pressuring OSes to come with PGP ware and other basic tools by default, for
instance?

~~~
toomuchtodo
Signatures all the way down :( And reliable methods to verify those signatures
without MITM attacks.

~~~
pilom
Yay someone agrees TPM's can be a good thing!

Right?

~~~
pjc50
Some people do; mjg59 is working on boot attestation as an anti-boot-sector-
virus mechanism. The underlying absolutely critical question is who controls
the TPM hardware.

~~~
pilom
I absolutely feel that way personally, I just get frustrated by the common
response from people on HN etc. TPM's are the most secure / most mature way to
verify your software integrity.

------
pdonis
The title is missing a word: it should be "Downloading _Windows_ Software
Safely Is Nearly Impossible". Similar remarks would apply to OS X for any
software not supplied by Apple. Fortunately, Linux distros have package
managers.

------
frik
I prefer to search on Wikipedia, it has a link to the official website in a
predictable way.

e.g. [http://en.wikipedia.org/wiki/PuTTY](http://en.wikipedia.org/wiki/PuTTY)
points to Putty's official website:
[http://www.chiark.greenend.org.uk/~sgtatham/putty](http://www.chiark.greenend.org.uk/~sgtatham/putty)

Putty is open source (MIT), one could build it from source and even audit the
code. Nevertheless, thanks for pointing it out.

~~~
endersshadow
DuckDuckGo also flags results as "Official Site," which is derived from
Wikipedia, as you can see here:
[https://duckduckgo.com/PuTTY](https://duckduckgo.com/PuTTY)

~~~
whoopdedo
But not if you go to
[https://duckduckgo.com/putty](https://duckduckgo.com/putty)

------
larrys
"It’s currently owned by someone named “denis bider”, who presumably just
likes to domain-squat on other people’s product names and provide links. "

Another slam against squatters as usual. I really really wish people would
stop with that already.

Whoever Denis Bider is he has no obligation to even put up links to putty. He
could sell the domain name maybe even to these people who don't appear to be
"using" (by the HN and generally acceptable definition of "using"). In other
words [http://putty.com/](http://putty.com/)

For the last time. There is no requirement to use a domain name and there
never has been a requirement to use a domain name. And there are many people
and companies who just sit on names and don't want to sell (because they don't
need the money).

Talk to google about duck.com and see if you can buy it. You won't be able to.

Anyway he could put up a webpage as his personal blog or any number of things.

Just because you happen to have a product using a particular name does't mean
you own that name in every tld (.com .net .org .info .us .biz and so on).

.org isn't even .com nor as desirable except perhaps for non profits.

------
cakeface
I'm feeling this severely with our build tools at the moment. I use Maven to
build all of my java projects. Maven will pull down library dependencies from
the Maven central repository or other independent repos that you may have
configured. I noticed recently that none of my Maven clients were validating
checksums on the libraries that we pull down.

This came about when the domain for codehaus.com expired and it transferred
over to a parked site that responded to all requests with advertising. I ended
up with a bunch of HTML files where I was expecting library jars. In this case
it was merely annoying and caused some tests and builds to fail. If they had
instead been providing malicious code that almost looked like legit libraries
it could have gone un-noticed for a long time.

------
clienthunter
These concerns are remarkably similar to my recent experience[0] with the
Apple software update, which nobody on StackExchange seems interested in
answering. I'm still very much interested in educated opinions on that matter,
if anyone cares to take a look. I'd be particularly grateful if someone with
knowledge of TCP could explain to me whether or not all those duplicate ACKs
are of concern. (Note that I understand the question's assertions on code
signing may not be correct)

    
    
      [0]: http://security.stackexchange.com/questions/52357/what-is-going-on-with-my-download-of-the-recent-apple-security-update

------
acct
There is absolutely nothing wrong with HTTP. You are supposed to verify
signing keys _after_ you download them anyway, regardless of your source and
tranfer method.

Yes, that may often be hard, or nearly impossible. WOT sadly often only works
for people you can personally verify anyway.

(With HTTPS, you better wish the author chose a reputable and more expensive
certificate authority which can be trusted not to give certificates without
proper proof of address ownership. Otherwise, verifying the website
certificate may be as hard has verifying personal keys.)

------
skrowl
Anyone else think it's kind of silly that he's a mac guy (all of his
screenshots are of old OS X) and his example is downloading PuTTY? Recent OS X
versions all come with ssh client.

~~~
lewispollard
First sentence:

> Let’s say you have a brand-new Windows laptop and you’re just oh, so happy.

It's a hypothetical situation (but one which windows users will likely
encounter if they want to use ssh)

------
peterwwillis
I've looked around, and the only free SSH tool for Windows that has a single
HTTPS mirror is 'kitty':
[https://www.wuala.com/9bis.com/public/build/](https://www.wuala.com/9bis.com/public/build/)

There's binary OpenSSH releases for Windows, but they're all hosted on sites
that don't do HTTPS. It seems like all Windows free software has a general
lack of following security best practices when releasing or mirroring
software.

------
huhtenberg

      Downloading *Putty* Safely Is Nearly Impossible.

------
batoure
It has always seemed strange to me that putty which is still probably the most
used ssh client for windows is available through such strange distribution
methods. I wholeheartedly appreciate the time the author took to rant-ishly
dissect this to a most myopic level. Even though it may reveal a most tortured
and disturbed psyche.

Step 18 is probably the inevitable step that follows thinking about something
too much.

------
cjensen
You could download the installer and notice that it is signed by Simon and
then feel secure. But writing a long rant works too.

------
nayades
Is the author seriously advertising google chrome as a safe way to download
software ? The very browser known to exist to increase the reach of google
surveillance of what people do on the web doesn't seem to possibly be part of
a solution here.

Those who give up privacy expecting to gain download safety will lose both.

------
hughes
I noticed this the other day as well. I was trying to download GnuPG.
GnuPG.org, including the download page and checksums, is served entirely over
http.

Even if it is open source, am I expected to pore over thousands of lines of
code to verify that it hasn't been compromised?

------
RRRA
Now let's talk about how we are supposed to sign webApps in a way similaire to
debian package distribution as to be able to actually trust one you d/l online
and be able to trace the update you might receive by revisiting the page?

------
EGreg
I wrote a blog article covering many of these issues. I am no Bruce Shneier,
but I think there are good solutions:

[https://news.ycombinator.com/item?id=7337976](https://news.ycombinator.com/item?id=7337976)

------
olalonde
This reminds me "The Ken Thompson Hack"
[http://c2.com/cgi/wiki?TheKenThompsonHack](http://c2.com/cgi/wiki?TheKenThompsonHack)

------
goblin89
Flash Player updates are offered for download over insecure HTTP. Meanwhile
you can't run Flash until you install the update (I assume it was a security
fix).

------
cyrilic
[http://www.oldversion.com/windows/putty/](http://www.oldversion.com/windows/putty/)

------
dbbolton
This is (partly) why I install from the official Debian repos even if newer
versions of a piece of software are available on the web.

------
fluxon
I went through this exercise a year ago but was only about one-third as
vigilant as Chris. I still did step 18, though.

------
chrisdotcode
Is there actually a legitimate reason that the MIT PGP server _doesn 't_ have
HTTPS?

~~~
acct
MIT GPG keys are unverified. HTTPS would only add a false sense of security -
you are supposed to verify the keys _after_ you download them (yes, it's not
easy, depending on how much verification you require).

------
MarkMc
Isn't the problem just that the developer has not signed the Putty binary?

------
fleitz
Yet despite it being nearly impossible it happens everyday for 99.99% of
users.

------
volker48
Or you know you could just use linux.

------
ape4
Get putty from your old laptop

------
drcube
Use a package manager.

------
jijji
After reading his article, it looks like if you cared about security, you made
a mistake even before attempting to download putty.exe. Your first mistake was
to be installing Microsoft Windows as your OS. Once you did that, you threw
security out the window. You are already owned by the NSA. Not sure if you
know that or not. Good luck with whatever you do from that point on, it
doesn't really matter that you used https versus http. You were already
compromised.

