> You don't appear to understand how the PGP web of trust works. The current release key is signed by the master key, which in turn has been signed by some keys which are indirectly cross-signed by a huge variety of developers many people are likely recognize.
Actually I do. It is just such a niche thing that for the few who will validate the key even fewer will check it on the P2P web of trust (and any person2person trust network is only as good as its members, so there is room for abuse there). Web of trust is a failed concept that the current CA structure destroyed.
Worse still, some people will validate the key only, and if the executable validates they assume it must be by the author. That is a dangerous piece of misinformation that it gives a false sense of security, in particular against state actors.
> I guess it's true to say WOT is useless unless you participate in it, but at this stage, it is of comparable uselessness as the existing CA system.
When you download software on Windows, Mac, and Linux it will first automatically check if the code signing certificate's root CA is in the trusted store, then it will check that the root CA actually signed the client CA, and finally it will check the client CA for validity. It does all of this for you behind the scenes and in a split second, then at least on Windows & OS X it will display a huge warning if it fails (or fail to load the executable entirely by default).
Essentially calling the current CA system "useless" is bizarre when it does all of this checking behind the scenes without any user intervention at all, and then warns the user when it fails. In particular when the web of trust is a convoluted mess of non-integrated software that less than 0.1% of users take advantage of, and even then need to manually remember to use and correctly interpret the result.
The way Putty is signed is non-standard and insecure. Web of trust is a failed concept.
So, what stops someone from getting a malicious app signed by the CA and then MITM your putty download with that? (based on a quick websearch, a code signing certificate is about $70)
If you secure your official download page via HTTPS, MITMing that connection requires getting your website cert signed by a CA. Which, while possible (see: DigiNotar) tends to be something the CAs try to avoid - lest they lose their license to print money by having their certificates revoked by browser vendors.
Actually I do. It is just such a niche thing that for the few who will validate the key even fewer will check it on the P2P web of trust (and any person2person trust network is only as good as its members, so there is room for abuse there). Web of trust is a failed concept that the current CA structure destroyed.
Worse still, some people will validate the key only, and if the executable validates they assume it must be by the author. That is a dangerous piece of misinformation that it gives a false sense of security, in particular against state actors.
> I guess it's true to say WOT is useless unless you participate in it, but at this stage, it is of comparable uselessness as the existing CA system.
When you download software on Windows, Mac, and Linux it will first automatically check if the code signing certificate's root CA is in the trusted store, then it will check that the root CA actually signed the client CA, and finally it will check the client CA for validity. It does all of this for you behind the scenes and in a split second, then at least on Windows & OS X it will display a huge warning if it fails (or fail to load the executable entirely by default).
Essentially calling the current CA system "useless" is bizarre when it does all of this checking behind the scenes without any user intervention at all, and then warns the user when it fails. In particular when the web of trust is a convoluted mess of non-integrated software that less than 0.1% of users take advantage of, and even then need to manually remember to use and correctly interpret the result.
The way Putty is signed is non-standard and insecure. Web of trust is a failed concept.