Hacker News new | past | comments | ask | show | jobs | submit login
Downloading PuTTY Safely Is Nearly Impossible (2014) (noncombatant.org)
264 points by Rondom on May 20, 2015 | hide | past | favorite | 166 comments

None of which would have mattered if Putty.exe was codesigned. Unfortunately it is not.

Code signing certificates are insanely expensive. The cheapest one I could find from a CA was $73/year (3 year minimum). I could go on a long rant now about how much CAs are in collusion and how they're making everyone more insecure though their pricing, but that would be redundant as I think "everyone knows that" by now.

Let's Encrypt are welcome (when they arrive), but they still don't offer Code Signing, Wildcard Certificates, and so on. The whole certificate/CA industry needs change, Let's Encrypt doesn't go nearly far enough. I blame Microsoft, Mozilla, and Apple primarily as they decide who gets to be a CA, and could allow non-profits and other disruptive startups into the space if they wished.

"None of which would have mattered if Putty.exe was codesigned. Unfortunately it is not."

You mean Autenticode on Windows? I once had an Authenticode code signing cert that I used to sign Windows executables. Mostly, I signed hobby projects with it.

I wrote a proof of concept keystroke logger for Windows, then Authenticode signed it and made it available along with source code for others to experiment with and review.

Several years later, some customers of Zemena and Comodo complained that the keystroke detection/security software (that they had paid money for) did not detect my keystroke logging software.

This caused a big fuss. Even though my software had been available for years, was code signed, came with full source code and was clearly labeled for educational purposes only, the security companies sent takedown notices to my ISP, placed my domain on DNS blacklists and 'fixed' the issue by declaring any exe signed by my Authenticode cert as malicious. Their customers were then happy and felt safer as it was now 'detected'.

The real issue was that the security software trusted any code that was Authenticode signed and let it run no matter what. There was a check-box somewhere to disable that, but long story short, I would not say that Authenitcode code signing is a big security benefit today. It may help some, but not much. Maybe in the future.

I still have the Keystroke logger source code: https://github.com/w8rbt/keycap

Someone with an Authenticode cert should compile it and then sign it and see if it still gets by the security vendors.

Signing verifies identity, nothing more. That keylogger was yours. In this case, signing putty tells us that it comes from the putty maintainer. The content, what it actually does, whether its not malware inside, etc doesn't matter.

Putty should be signed, imo.

I was merely suggesting it as a way to verify who created that binary of Putty. Nothing more, nothing less. If you ignore who signed the binary completely, yes, it could be open to abuse.

The "browser" half of the CAB forum is happy to accept new CAs that meet their standards. Non-profits and disruptive startups are finding that difficult, as they should—it's hard to run a CA safely. It's not hard like curing cancer is hard, or even like heart surgery is hard. It's hard like avoiding iatrogenic infection is hard: it requires constant and diligent adherence to rules in the presence of no visible threat.

LE are a wonderful start, and they are succeeding in part because they're moving slowly. I expect them to go further, but only with full understanding of the obligations they take on by doing so. They're very, very right to be conservative in their operational practice, because they'll be allowed no more slack than anybody else, and maybe less.

Could something like LE have started ten years ago? Maybe, but nobody did. CAcert.org was a lovely dream, but didn't (and couldn't) hold to those standards of diligent practice.

The "browser" half of the CAB forum is happy to accept new CAs that meet their standards. Non-profits and disruptive startups are finding that difficult, as they should—it's hard to run a CA safely.

This is something that Google should do.

$73/year is not free but calling it "insanely expensive" is pretty unfair.

While I fully understand where you are coming from let's try and remember that putty is 100% free and I'd bet money the author puts in more time/energy/money than he gets back from it. That means that ANY money spent is more money in the hole making $73/yr ($219 all at once b/c you have to pay for 3 years) quite a bit of money.

I suspect that if the Putty dev created a Patreon for code signing, and posted it on HN and Reddit, he'd almost immediately have that $73/yr covered for the foreseeable future.

No doubt but we all need to remember that sometimes accepting money is more trouble than it's worth. I know that sounds crazy but people taking donations have to declare that on their taxes and some people don't want to deal with that. Also while crowdfunding platforms have gotten really easy they still take effort and sometimes some sort of verification process. It's obvious the putty dev is not a designer (I don't say that to be mean) so I'm sure there would be people here on HN that would be all like "Ugh, this guy is asking for money and he can't take 2 minutes to make his funding site look halfway decent???" (Those people would be clarified as douches but that wouldn't stop them from making the comment nor the dev potentially reading them).

Lastly let's say he gets the money and takes care of the taxes and all of that. Now he has to get a code signing cert (not a fast or easy process I would assume) and add that to the list of things he needs to do for each release. We are talking about a non-trivial amount of work over a month or more all so that people will stop bitching about the FREE and OPEN SOURCE product he is producing...

If you find code signing/HTTPS to be so important I suggest you do it yourself, the code is freely available and since it's under an MIT licence you can even SELL access to your code-signed and https-protected putty version. I'm not saying that either of these things are not important (they both are) but let's not jump down the dev's throat because they aren't giving up even more of their time on something they seen no return on.

I certainly don't mean to jump down the dev's throat -- I have been using Putty for years (without, I must admit, a second thought about whether the binary might be compromised) with nothing but gratitude. And I don't think anyone else should direct their complaints at the dev either. My comments are addressed to those who complain, in a general way, that it is not easy enough for a developer to write trusted code.

Putty seeks to perform a security-critical function. It may simply not be realistic to expect that someone can simply step into the market and provide such a tool safely, without putting some effort into building trust with users through, e.g., a code signing certificate. That, after all, is one of the reasons why trust works--it is non-trivial to build.

Again, I don't blame a developer for not doing these things, and I am all for helping developers jump through the hoops they need to jump through, if they are willing.

I understand what you are saying about "Putty seeks to perform a security-critical function." and therefore it should take these things into account (in a perfect world). I don't speak for all developers, obviously, but I'd wager a guess that most developers don't code (for OS at least) to "corner the market" or essentially become and run a mini-corporation (Twitter, Blog, Github, HTTPS, Code Signing, Website w/ Landing page, etc). They do it to scratch their own itch or to help someone else scratch theirs. Once they finish they upload it to github or some code-hosting platform as way to share the work they've done and contribute back into the community. TBH we are lucky they do even that. To ask them to provide and maintain extra processes just seems a little wrong. I get that code-signing and HTTPS ARE important and probably needed for a tool like this but I think the question we should be asking is "How can we help get to that point?" and not "Why hasn't the developer done this already?!?!". The fact that the developer continues to update/bug fix this program is amazing (as recently as "2015-02-28") and I worry about driving off a developer/contributor just because they didn't do a few things that probably don't interest them at all.

I say all of that less towards you and more generally in the context of this thread as you did point out "I am all for helping developers jump through the hoops they need to jump through, if they are willing".

Sounds like we're in agreement.

But what can we do? I don't think it's realistic to expect anyone to issue code-signing certs for free. Any credible process for issuing the certs, it seems to me, would be too resource intensive for anyone but a charity to do for free.

For projects like Putty it probably won't be a problem to raise money for the cert, if the dev wants to go that route. But I don't know what's to be done about the dev who, understandably, just isn't interested in dealing with all that entails, or projects with smaller followings than Putty.

Do we need to start some sort of organization to help hobbyist and independent devs with this problem? Even if there were a group of people willing to take this on, (I might be), would it be a good idea? Taking on the responsibility of verifying a dev's identity and helping him or her with things like code signing certificates seems like a liability nightmare, for one thing.

I think joshstrange has it right: the easiest way for everyone is to do it yourself and take the original developer out of the loop. There's no reason the person who writes the code and the person who handles the certified distribution need to be the same. Set up a site 'pdabbadabba's signed distribution of putty (and perhaps of whatever other open source programs you think merit such),' get the certificate yourself, offer downloads and ask users for money to cover the costs.

A fair point, and I'm actually tempted to do just that. I wonder, though: why on earth would anyone trust code that I have signed? At least the developer has (maybe) built some level of trust. But what's the benefit of signing by some random third party?

Trust is built by things like time and social proof. Whether you're the person who wrote the code doesn't really come into it. Look at how it works on Linux: most people install most software via package managers. Nobody expects the person who wrote the code to be the same as the person who has the knowledge and resources to package stuff for Debian or whatever. The Debian packagers have earned trust over time. You could do the same thing.

This is fine, but for anyone to be able to actually trust that this person's signed distribution of some piece software is actually safe then you would have to assume that the person has some way of obtaining the source code from a place that they themselves trust. If they don't write the code and have no access to any other signed version this may be difficult.

Linux packagers seem to have successfully solved this problem. I imagine it's at least in part because it makes sense for them to put in a bit more effort (e.g. email to the author to make sure they have the right version, if necessary) to save every user having to redo it.

I think cash gifts are tax-free in the UK, with the possible exception of large sums given shortly before someone dies (which would become subject to inheritance tax).

The FAQ gives an address for Paypal donations / beer money: http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#f...

Oh, FFS, I write a free terminal emulator with a fraction of the users of PuTTY, I pay $100/year to sign it, and O($100)/year in hosting + CA fees. Donations cover it easily.

And then some - I don't see a donate link anywhere on putty.org or the linked sites, but who wouldn't donate 5 bucks to putty, when they use it for free basically every day? I've paid 5 bucks for less useful programs.

I remember reading the statement about beer and curry some years ago, so I knew there was a link somewhere: http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#f...

Or "paid version is signed, free version is not."

That may be true, but it's so little that I'm sure he could find thousands of people/companies that would be happy to sponsor this. Including me.

There's a non-trivial paperwork requirement too. I'd have no problem paying and getting a cert from the comfort of your chair like you can do with SSL. However for code signing I have to take time out of the day to visit a notary public to verify my identity as part of the process. This is likely also going to cost additional money.

TIL: $73/year is "insanely expensive".

Literally cheaper than sponsoring an African child or paying Sarah McLachlan to stop using commercials to make me cry.

Would you mind paying for a code signing and two wildcard certificates for me then, please? Yearly, of course.

I would cover the costs out of my profits, but the $0.00/yr I am pulling in from my open source projects doesn't quite cover it, let alone the $200/yr for the VPS and domain registration.

What are you adding to his productivity? I'd pay it if you were as useful as putty.

Without relaxation, it's very hard to be productive (byuu develops Nintendo emulators).

If SSL is free and easy (especially if it's automatable) to generate through Let's Encrypt, the use case for wildcards mostly goes away.

> When Let’s Encrypt launches in mid-2015, enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server:

"When" being the keyword. Also they don't, as of this post, do code signing...

Excuse me for being a pedant, but wouldn't Let's Encrypt end up being just another potential attack surface?

No more than the existing for-pay SSL providers, I'd imagine. What sort of attacks are you proposing?

With code signing there remains the problem that how do I figure out who to trust. I don't remember the exact details for the author of PuTTY.

This is silly, Chris. :)

PuTTY is MIT licensed.

The primary author of PuTTY is unserious about traceable code, which is a shame, because as your essay implies, PuTTY is one of the motivating cases for traceable code. It's an actual lucrative real-world target for surreptitious replacement.

Clearly, the world cannot rely on PuTTY's author to provide a traceable download. Someone else needs to step in and do that.

That person can set up an HTTPS site, arrange to have their certificates pinned, get PGP-signed endorsements from people like you, the EFF, whatever, and --- given how awful PuTTY's SEO mojo is, easily take the top of the Google SERP for PuTTY with a reliable, traceable alternative.

What any of this has to do with WebCrypto is beyond me.

> It's an actual lucrative real-world target for surreptitious replacement

From yesterday: "Trojanized PuTTY"


Maybe https://github.com/bliker/cmder could be that alternative? Not sure on the traceability status, but I used to use PuTTY a ton for work, and not because I liked it, just....there was nothing else which worked as well, even though it sucked (no tabs etc).

This is really just a rant about how poorly PuTTY is distributed. (and a vague implication that it is malware of some sort).

I think it is a valid criticism, and I wish the person who wrote PuTTy (an SSH client for windows) would be more open/available/transparent but it is hard to force that on someone.

This is not just a rant. As of two days ago, there is a hostile version of PuTTY in the wild.[1][2] It's on some mirror sites distributing open source software. It steals login credentials. Right now, it's essential to be able to tell the good one from the bad ones, and it's not easy.

[1] http://www.symantec.com/connect/blogs/check-your-sources-tro... [2] http://blogs.cisco.com/security/trojanized-putty-software

This really should be a top level comment. I was unaware of this as an issue, and a couple of HN posts on this topic got no traction. Thanks for bringing it up!

> As of two days ago, there is a hostile version of PuTTY

A small correction -- from the symantec blog post:

"this file has been in the wild since late 2013 and it was first seen in Virus Total around the same time. However, we have only seen this sample broadly distributed recently. Distribution in 2013 was minimal, and we saw a gap of a year and a half before it reappeared again."

Interesting, this should be in the original article as well! I used Putty a lot until I switched my desktop to Linux full time.

The original article is from over a year ago. It wasn't in response to anything in particular, but it doesn't have to be.

If you see something potentially vulnerable, you don't have to wait until it's been exploited to report it.

I would argue this is a problem because of the lack of an actual package manager for the distros putty is used on.

If there was a formal package management system in place for these OSs this would have been less of a problem from the beginning, but they're only getting around to it now as I understand it.

> but it is hard to force that on someone

Everyone who distributes exe files should include some form of authentication otherwise you are just sloppy. In all likelihood he doesn't check authenticity of software on his end so you can imagine other risks as well.

This really just highlights the fact that Windows ships with no tools to establish any kind of verified trust chain. No md5sum, no authenticated package management, no native ssh client. Being concerned about privacy and security and running Windows may be mutually incompatible.

> no tools to establish any kind of verified trust chain

You're wrong, there is a code signature verification built-in in Windows, if the EXE is signed, from the GUI you just have to right click on the file, select "Digital Signatures" and click twice on the signature.

Putty however isn't signed. Maybe it would be good to motivate Simon Tatham to start doing this. He should be somehow supported for that.

The signature doesn't solve too much (e.g. imagine Putty is signed by Acme Inc -- how do we know that Simon actually worked for Acme Inc at the moment he signed, that is, how do we know we should expect Putty to be signed by Acme Inc, and what if it's signed by Acme LLC, is that the same company etc -- we still need some channels to spread the right information, and when we have them, spreading the right checksums of the binaries would also be enough) but it is probably better than nothing.

> This really just highlights the fact that Windows ships with no tools to establish any kind of verified trust chain.

It has HTTPS and FTPS support natively. It also supports generating hashes in SHA1, SHA256, SHA384, SHA512, MACTripleDES, MD5, and RIPEMD160 using the aptly named Get-FileHash cmdlet.

> no authenticated package management

MSI installers can (and should) be signed, and well as many other Windows installers and other binaries. Windows 10 supports "real" package management, but security is unimpacted directly.

> Being concerned about privacy and security and running Windows may be mutually incompatible.

You've given zero plausible reasons for believing so. All you've demonstrated here is that you know little about Windows and what the term "verified trust chain" means.

Just Windows supporting HTTPS alone more or less ruins your point.

Linux doesn't technically come with those either; they're all separate programs that distributions happen to include.

Windows has an SSH-like framework for PowerShell[1]. One could argue that Linux doesn't ship with tools for connecting to non-Linux hosts, so why should Windows ship with tools for connecting to Linux hosts?

It will have package management in Windows 10 [2].

Powershell can get the hash of a file in many different algorithms.

[1] https://technet.microsoft.com/en-us/magazine/ff700227.aspx [2] https://github.com/OneGet/oneget

> Linux doesn't technically come with those either; they're all separate programs that distributions happen to include.

But isn't Windows more like "a distribution of Linux" than "the bare Linux kernel"? When I choose to trust a distribution of Linux (or a BSD or any other complete operating system) I extend that trust to the ecosystem's package manager which usually includes mechanisms for verification. Downloading putty is not a case of trying to connect to a Linux host, though, and SSH is not a linux-only (or even linux originated) protocol.

I was just looking at OneGet and it seems like a huge boon to the Windows ecosystem. From my limited research Windows 10 looks pretty nice and is the first version since XP that I may be interested in using.

> One could argue that Linux doesn't ship with tools for connecting to non-Linux hosts

Except it does, to the extent that vendors make it possible: any repository will have at least one RDP client of sort (probably half-baked, because the protocol is what it is), and Samba is standard fare. Almost any other OS supports SSH, so yeah, Linux in fact does ship with tools to connect to non-Linux hosts, and plenty of them. (Btw, connecting Windows to NFS shares out of the box is much harder than connecting Linux oob to SMB shares...)

If there is one thing that would help Microsoft immensely, in their attempts at gaining some traction "in the cloud", is out-of-the-box SSH support. Powershell might be nice but it will never work on anything that is not Windows, so it's fundamentally useless for remote work.

Windows 8 ships with a version of Powershell that has builtin Get-FileHash command which can do SHA1, SHA2 (256/384/512), MACTripleDES, MD5 and RIPEMD160.

What I do is upload my downloads to VirusTotal. That way I can get assurance it's the same file that's been around for a while. Hopefully if it was Trojaned, someone would have reported it. Certainly won't stop a secretly compromised version, but it's a start.

I do that too, but it's no kind of assurance as any half-competent hacker would test his trojaned versions against various anti-virus software and when it passes all upload it to VirusTotal and similar sites to convince people who rely on such sites. Best thing you can do is to download it from multiple internet connections (via VPN/TOR) and hope that any mitm is closer to your side and not server's side.

certutil -hashfile

Windows does come with tools to establish a verified trust chain...it's just not using ssh. I'm not sure what you mean by authenticated package management, but Windows does authenticate packages that have certificates and you can manage certificates that you trust. What else do you want to do?

And I'm fairly certain that Windows comes with even more robust tools out of the box for network trust management than Linux does - at least when it comes to managing networks of Windows machines. I could be wrong. I don't know many people who run office networks full of Linux boxes for comparison and maybe there is really no "out of the box" with Linux...but Windows does have controls baked in for trust and security.

Fair points. I haven't used Windows since XP so my information is a bit dated but it does look like they've made some progress in this arena. Putty is from a time where most windows software was installed from random .exes on the internet, though. I suspect due to the age of the win32 ecosystem much software still is installed this way in Windows environments.

You're right that a lot of Windows executables and installers are still unsigned. The check of the signature is still something that plain user wouldn't know how to do. The only place where Windows rally enforces the signatures are 64-bit drivers.

Another important question is: even if there is a valid signature, how can the user know if the signer of the downloaded file is really the expected author?

The reliance on PuTTY exists because Microsoft does not ship basic SSH capabilities as part of Windows. Similarly Microsoft does not provide read write capability for Linux file systems. In this way Microsoft creates impedence for Linux and other *nix adoption in places running Windows desktops. It's just that little bit extra friction that makes using Linux a bit more of a PITA than it needs to be.

This is an article from 2014. Previous discussion: https://news.ycombinator.com/item?id=7334269

The second-to-last point makes zero sense in this context. What makes you think that your browser is any more trustworthy?

And of course, none of this matters when you're running this software on a closed-source operating system - one which you, therefore, have virtually-zero ability to independently audit. So even if your programs are perfectly trustworthy, the underlying operating system has free reign to compromise them without you being able to detect it or do anything about it.

Probably the most surefire way of being actually secure is to drive to Calgary and pay Theo de Raadt to burn you an OpenBSD CD-ROM right before your eyes, then install it on your computer (and even this is fraught with danger; who's to say that Theo isn't going to backdoor your installation?). Virtually every other method of installing anything is insecure, whether you download the thing or have the thing mailed to you or what have you (the sole exception being to download the source code, manually audit it yourself, and manually hand-compile it to machine code - can't trust that compiler to not be compromised, after all). And on that note, you therefore still can't trust Theo's custom-made OpenBSD CD-ROM, since he very well might have compiled it with a compromised compiler, so now you have to take the OpenBSD source code and hand-compile that to machine code before you can do anything else.

One thing that seems ignored in some of the threads where people mention alternatives is that one of the historical advantages for putty (compared to cygwin, git's tools, etc.) has been that it is portable in that it does not require running an installer. This has been useful if you are on somebody else's machine and you don't want to have to remember to uninstall it afterwards and can also be useful if you are logged in as a user without many permissions.

That said, I haven't used Windows for awhile so maybe those reasons don't exist any more (perhaps it isn't a problem to install a Windows 8/10 app on someone else's machine or within a restricted corporate environment) or maybe there are some good browser-based alternatives.

> Briefly wonder if Tatham’s PGP keys are noted in a central registry, such as MIT’s PGP key server. Nope.

Putty's keys are on the MIT server if you search for "putty": http://pgp.mit.edu/pks/lookup?search=putty&op=index

Still, agreed, it's a lot of work -- most people won't have gpg/pgp installed. Someone should sponsor Simon's codesigning cert for now.

Putty is pretty awful anyway. Git for windows installs a shell that is not terrible, includes an ssh client, and is distributed over https. It is my go-to when I have to use a windows machine.

I switched to mobaxterm [http://mobaxterm.mobatek.net] a few weeks ago. I am so happy with the program. It has some cool bells and whistles but it has built in X server. So it does X Forwarding out of the box.

I've been running mobaxterm for around three years now, the "just works" X server was the killer feature for me. Never looked back. I even paid for the "pro" edition to support their work on it.

Moba feels slow sometimes; I don't like its custom UI; I don't understand how it's FOSS /and/ has a pro-only version.

Its built-in SSH server is great for moving files to and from my workstation quickly when I need it.

Many FOSS projects have Pro versions (Redhat Linux / Cent OS Linux)

Best One Liner about commercial Open Source software : The only kind of profit strategy that is incompatible with Open Source is monopoly-based sales, also known as "royalties". [] http://opensource.org/faq#profit

But Moba isn't selling support. They're giving out crippleware and charging money for a professional version based on the core. How are the modifications that make the pro version not required to be open source?

Cripple software is not monopoly based system called "Royalties."

THANKS! I've been looking for something useable for a long time.

It's actually including a subset of cygwin built with a fork of mingw, which includes the openssh-clients. It's the same as if you installed cygwin and used ssh from that.

That being said, when I'm looking for git and friends I like to go further and install more of cygwin to run the native port of rxvt and then run ssh inside of THAT.

So it's not really a solution for a shell in the way that PuTTY is, since PuTTY also is a decent terminal emulator for Windows. Not the greatest, but decent. It's the single-binary, run from a thumbdrive option.

> I like to go further and install more of cygwin to run the native port of rxvt and then run ssh inside of THAT.

Let me buy you a beer. I just run linux.

And I'd buy you the next round!

Dealing with mixed OS environments... it keeps you busy.

What causes you to say that putty is pretty awful?

One acronym: PPK

Most of the people I know that use putty really use MTPutty [0] nowadays for multiple tabbed terminal windows. I haven't touched windows in years but if I were to go back I would use cygwin or similar before I used putty.

[0] http://ttyplus.com/multi-tabbed-putty/

How about the fact that it's awful?

Can you seriously compare PuTTY with even the most lacklustre terminal available on OS X or Linux? It's an atrocity of UX design straight out of the Windows 95 era.

Their home page is also the epitome of not caring about user experience even to the slightest degree. Nearly zero effort: http://www.chiark.greenend.org.uk/~sgtatham/putty/

I've seen people construct more impressive pages given only a few hours of HTML and CSS training. I'm not even kidding.

I'm not saying everything has to be slick and beautiful, but there's a thing called pride in craftsmanship, and PuTTY has none of that. It's just sad.

> What causes you to say that it's awful?

> How about the fact that it's awful?

Is this really what passes today for a decent reply? It's an atrocity of attempted logic straight of the Windows 95 era.

The logic used is also the epitome of not caring about putting up a decent argument even to the slightest degree. Nearly zero effort.

I've seen people construct more impressive arguments given only a kindergarten education. I'm not even kidding.

I'm not saying everything has to be lengthy and grammatically correct, but there's such a thing called pride in logic, and astrodust has none of that. It's just sad.

Best response or bestest response? Me thinks it's the bestest.

The home page is clearly organized and readable, only having some text and links. What more do you want from a website that only exists to distribute one program? There's a link to the download page right on top. It's more than good enough. Do you need flashy CSS animations and a Konami Code to find a website cool enough for you?

There's not a single thing wrong with PuTTY's UX either. The terminal area is just a terminal area that does what it's supposed to and behaves exactly like any other terminal emulator, and the options are clearly organized. There is literally no meaningful change you could make to improve its UX because it's already optimal.

It's a well designed win32 application, designed to the portable as far as windows applications go. I just don't get the hate on PuTTY.

I support the love. PuTTY serves well as an SSH client, many complaints here are about other issues like security, https, trusting binaries, GUIs, and really it's not fair to Simon and team who kindly released the program for us all to use. Nowadays I only use it when I'm unfortunate enough to need to do work on a Windows machine. Thanks guys for releasing this free software.


I don't see the rush of elephants to fork it, or write a replacement either, just a bunch of passive complaining.

It's a functional application. It's not well designed. It's not "portable". The hate is because it is so mediocre it's insulting to anyone who uses Windows and has to suffer through it.

If you prefer it, that's fine, but some people expect a bit more from their tools than merely being "functional" no matter how ugly.

It runs on various unixes (without wine), it ran on win32 Alpha (another meaning of the word portable) - I'll give you ugly, but its fully functioned, and arguably much easier to use than the command line openssh-client.

Well designed can refer to more than just the interface. It meets historical windows human interface guidelines too.

I'd also suggest that its an open source project, and could be forked, with a new UI wrapped around the existing pretty good terminal emulation.

I am pretty sure that putty is portable.

I think portable here is referring to being able to run software from a USB drive without running an installer or just being able to download a file into a temporary folder and removing trace of it by deleting the folder when done. I feel a lot of the initial love for putty was the fact that it was portable (and it also helped back in the day that the download was so small, too.)

It is possible as far as I know that it doesn't meet the formal definition in some way, but since you used the term in air quotes and didn't qualify it (like 'but it stores settings in the registry' or similar), I think you may be interpreting the term differently (i.e. I don't think the term is being used to suggest that you can use the same executable across operating systems.)

> There's not a single thing wrong with PuTTY's UX either.

Yes, there is. It garbles some characters. Ncurses-based applications sometimes look like a hot mess.

This symptom can point to your translation being incompatible with the text stream the terminal is being presented with. That problem may be overcome by switching putty's 'character code' setting to UTF8.

I wonder how much of the hate here is from people who don't understand the problems that are inherent to writing a terminal emulator. It makes sense to be frustrated by it, but it's not putty's fault.

I've been using putty for about fifteen years, and use ncurses extensively. The only thing I've wanted to do in PuTTY that I've been unable to (that I can remember) is to get 24-bit colour working. It may be that I'm making the situation artificially simple for myself because I run everything in tmux, which may filter some translation issues.

Your point in another thread about the putty defaults being non-standard is a good point, and the only meaningful criticism I can see if it here. Not defaulting to UTF8 may be another.

> What more do you want from a website that only exists to distribute one program?


IMHO PuTTY's default behaviour of pasting the clipboard's contents on right click is really annoying and unexplainable; neither native Windows apps or Unix xterms work like that. At our university we use IRC (via SSH+Screen+irssi mostly) for communication and every year I see over a dozen of people tripping into that.

Also, the default encoding was changed to UTF-8 only quite recently - IMO that should have been done much earlier.

> neither native Windows apps or Unix xterms work like that

That's because it's middle-click instead of right-click in X. But windows traditionally did not have 3-button mouses, so right-click it is. I use middle-click to paste several times per hour.

Clearly Stockholm Syndrome has set in here.

That page is awful. Period. What do I want from a website that exists to distribute one program? Some effort. Some class. Something more than the software equivalent of being wrapped in greasy newspaper.

When you say "its UX because it's already optimal" you're basically saying "I do not value fit and finish, I am purely interested in functionality, I also make my own underwear out of used socks."

Why am I so upset? It's because of this attitude. Taking the time to make a nice page and present your software with pride shows you care. Using the same old HTML from 1997 says you don't care.

Would it kill programmers to talk to designers and do some knowledge sharing?

You want a pretty web page for a terminal client? Are you not seeing the irony here?

Have you ever actually used an awful web page? Open a current website in IE4 or something. Awful means "doesn't work".

I think the page is nice. Fast, usable, and seems to contain a ton of content. I don't think anyone was slacking when they put this together.

Maybe he should put that same content into a Twitter Bootstrap site

Wait... you think a terminal emulator, which by definition has almost no graphical UI at its heart, is crap because of its UI? Really? You think the entire program is crap because, what, you don't like how the Preferences panel is laid out?

To be fair, the only piece of UI in Putty that one needs besides the actual shell, namely adding and managing hosts that you connect, is absolutely broken beyond imagination. It has always been like that and it probably will be. Of course if one never ever uses the UI, then it's ok, but putty more or less forces one to use it.

I know exactly what you're talking about but "broken beyond imagination" is pushing it a bit.

I agree it's not obvious how to use that portion of the UI, and the UI is far from ideal, but once you understand how it switches profiles, then you're pretty much set. That issue doesn't occur again anywhere else in the application so it's a rather minor issue if you ask me.

>Can you seriously compare PuTTY with even the most lacklustre terminal available on OS X or Linux?

Yes, I can compare. PuTTY is superior than the default xubuntu terminal, whatever it is.

1. I can configure it to connect to specific server automatically, including setting up all required SSH tunnels. On Linux I have to write shell scripts.

2. It allows to automatically set up a SOCKS proxy that sends my traffic through the remote server.

3. Selecting text copies it straight to clipboard. Copying to middle-click buffer is much less convenient, because I often want to replace other selected text with what I selected in terminal.

If somebody wants the website to look better, I recommend hacking on Halibut (http://www.chiark.greenend.org.uk/~sgtatham/halibut/) which is a document preparation system built by the same author and used to create the site.

"Their home page is also the epitome of not caring about user experience even to the slightest degree. Nearly zero effort"

I wish more websites were functional and clean like that.

I agree. I find installing Cygwin, which installs MinTTY, is a much better experience, especially since you get normal ssh instead of a Gui-wrapped ssh.

Oh yes, I almost forgot about MinTTY!

A more focused, no-networking kind of PuTTY. Reads your settings from your "home directory" on windows, very handy.

People don't like writing terminal emulators. I don't blame them!!!

Question: Do you mean msysgit, or something else? I almost never use windows but this would be nice for those rare occasions. Thanks in advance.

that's mintty....which is just a slightly modified putty

Another reason to prefer the unix-like tools (that are included with Git for Windows (http://git-scm.com/downloads) but are also available separately) over PuTTY is Vagrant, it can't run "vagrant ssh" on Windows otherwise.

Also, you'd always need dedicated key files because PuTTY uses PPK instead of regular OpenSSH ones.

I just started using Vagrant on Windows and I'm really liking using it through Cygwin.

putty can convert to and from openssh key files.

And to top it off, what size are his PGP signing keys? http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html

1024-bit RSA, and 1024-bit DSA.

Please see my comment earlier today about why that's Very Bad™ in the thread on the "Logjam" attack which shows that 1024-bit keys are too small for safe use now: https://news.ycombinator.com/item?id=9577998

Come on, Simon, I know you know better than that. It really is time to upgrade.

It seems fairly clear that Simon isn't wildly motivated to stay on top of the ball here, and that's OK. Despite how many people seem to feel, he doesn't owe us anything. He released the software; we can take it, we can not take it.

Title should be "Downloading Putty Safely Is Nearly Impossible"

Don't most people install stuff in Windows through Ninite when possible these days? I know it has at least one SSH client. And in my experience, the vast majority of good software is at the top of any search query.

> Don't most people install stuff in Windows through Ninite when possible these days?

No, most people do not.

Windows user for 20+ years. I've never heard of Ninite.

I haven't touched windows in close to 5 years but it's pretty awesome for when you are rebuilding a machine and want to install a bunch of core utils/programs all in one go.

Couldn't agree more. As someone how sets up computers for family members, simplifying the process to Install Windows>Update>Run Ninite>DONE is a massive timesaver.

It's a bit like a package manager. You tick all the things you want to install, and it'll install them with sensible defaults and no prompts.

Yeah, it seems like neat software. I guess I've just become so ingrained in my ways that upon getting a new install setup, I install the same ~7 applications and I'm done. Never even thought to seek out a package manager for Windows.

There is also the Windows Store. It has several SSH clients, free or cheap, one that is called Metro PuTTY.

I don't know if those are any good, but they are safe to install and run. In Windows 10 they will even run in a Window with your other desktop apps :-)

Yeah, nothing says trustworthy like someone unaffiliated with the author reselling open source software.

Ok, we changed the title. If anyone suggests a better title we can change it again.

It would be nice, when you do this, to know what the original title is, to know what the issue with the original title was.

We typically quote the original title when it was different from that of the article. Otherwise you can just assume the default, i.e. "Downloading Software Safely Is Nearly Impossible" in this case.

It's the first time I've heard about Ninite.

I do use chocolatey as much as possible for all windows installations.

This is the first I've heard of chocolatey. Seems to offer a lot more stuff, so I'll check it out.

Windows 10's package manager, while unsophisticated, should provide a secure route to download PuTTY safely. Right?

Use Chocolatey.

cinst putty

and you're done.


This is in their FAQ:

"How do I know if I can trust the community feed (the packages on this site?) Until we have package moderation in place, the answer is that you can't trust the packages here. ..."

Their about page:

"Package moderation and package signing are planned to increase the security of the community feed. Bear with us, this is going to take time to get into place. ..."

However moderation seems to be implemented (at least putty is approved by a moderator), I see no signing in place. At least everything seems to be going trough https and they are going in a good direction.

There's no excuse to not have a code signing certificate especially when you could get one for free[1].

[1]: http://certum.eu/certum/cert,offer_en_open_source_cs.xml

From http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html

>We have uploaded our various keys to public keyservers, so that even if you don't know any of the people who have signed our keys, you can still be reasonably confident that an attacker would find it hard to substitute fake keys on all the public keyservers at once.

Anyone want to be less lazy than me and find out which ones the keys are in?

Also, the first thing I'd do is download a Ubuntu ISO over https, install Ubuntu, after which I'd have an authenticated way of installing software (apt-get). putty is available through that, so I'm fine.

The implication that somebody must own a domain and SSL certificate in order to deliver you software for free is just insanely entitled. If you care so much, why don't you pay the author so he can buy all these things?

Serious question: What's the point of safely downloading any binary to run on your closed-source operating system? None of that code can be verified. Do people actually believe Windows is secure?

Unless you have personally read, fully understood the security implications of, and compiled from source every application currently running on a Linux machine, including the kernel, then you really have little guarantee of safety in open source, and probably not even then.

Most Linux users are not experts in any of the multiple languages that their applications might have been written in, and so are neither capable, nor likely willing, to pore over millions of lines of polyglot code just to verify that the latest version of Iceweasel doesn't have an NSA backdoor (or what have you.) Therefore, the blind trust most Linux users place in whomever wrote their distro and their applications is no different than the blind trust Windows and OSX users place in the companies that make their operating systems and any binaries they download from third parties.

Granted, in the open source case, anyone can look at the code, and the axiom that "with enough eyes, all bugs are shallow" does sometimes work. But it doesn't necessarily follow that no one at Microsoft or Apple is paying as much attention to their code as the masses are to open source code. It's just an assumption on the part of the open source community, that open source necessarily leads to greater code coverage because the code is available to everyone, versus a subset of employees at a company, and that it's harder to hide things in plain sight when the source code is available. This assumption of course turns out sometimes to be spectacularly untrue, as it was in the case of Heartbleed.

Windows is definitely still a closed source operating system, but the code for putty is definitely available on the same page as the downloads. I assume it has the same security concerns, but at least you can look at the code.

My freshman intro to engineering computing class has ~500 freshman download PuTTY from the non-https site every year. I'll email the instructor this article - is the problem that it could be infected, or is it known to be infected with undesirable software? Quality of PuTTY aside, could someone just host the most common download on an https site?

There are version(s?) floating around that are infected.

Not (normally) on the source site - but there's no guarantee that someone doesn't MITM you and inject something.

Someone could host the download on an https site, and yes, it'd be an improvement, but that just moves who to trust to the site owner (and everyone on the certificate/hosting chain for the site).

It's that it could be.

Downloading it from a place that serves it from a secured endpoint isn't really useful if the source didn't download it securely.

Not a PuTTY fan. I generally install Fedora or Linux vms on personal Windows systems (where they are mandatory/heavily advantageous and where security policies permit) in large part to have openssh-client, and then use vmhgfs shares to move files between them as necessary. Among other reasons.

If you are really concerned about security, why would you trust an prebuilt binary of an open source project. The source is available, just grab the source and build it your self. That way you at least know what you have.

You mean you can't tell what the program is doing by just glancing over the binary in a hex editor? /s

You have to be a pretty good programmer to identify obfuscated code in something like Putty I'd imagine - particularly as all the parts needed for snooping are intended to be there: certainly I (a non-programmer) couldn't guarantee to spot a reverse SSH connection being used for key-logging. Configure-make-install I can do but proper security level code review is not something I'd expect most programmers could do (otherwise we wouldn't have things like Heartbleed, surely?).

Web-of-trust in some form seems like the answer; but ultimately you need someone trustworthy to be paid (or equivalent) to do a proper review and oversee the securing/signing of that code as reviewed.

You also can not assume that the original author of PuTTY isn't secretly working for NSA, or who ever. The fact is, the ONLY safe way to get PuTTY is to indeed grab the code, go through it line by line, and than build it, and hope that your compiler sin't infected as well. I am just point out that it's more difficult to hide things inside the code than it is in the built binary, not impossible, but more difficult.

Web-of-trust, what ever that might mean, isn't helpful because you ultimately have to trust someone. How do you know the person you are trusting isn't an NSA agent?

>How do you know the person you are trusting isn't an NSA agent? //

You don't but the top node in your web has to be trusted by lots of other people, some ideally are able to confirm the code is kosher - you need a massive conspiracy to happen or to have put your trust in people who couldn't care less about putting their name to malicious software.

It's like if dang tells you something is an official HN policy you might trust it, but if that statement by dang is signed by other HN officials then you're going to be pretty certain that's true.

Kinda like a technical "social proof". If I know that Stallman, Torvalds, Wozniak are using a piece of software then I'm going to be pretty confident that it's been checked out as much as any piece of software. Yes they could _all_ be endorsing it because the NSA told them too.

I just checked:

PuTTY's Windows source code is ~190 files, or ~123145 lines.

If you assume you can read a line a second (and you can't), that's more than 34 hours (!).

look at the bright side, it's still a fraction of what you'd get if you were to build your own thing. :)

Why no use Cygwin which includes SSH? (the client maintained by the OpenBSD team, btw, which I'd trust a lot more):


What's so special about putty?

One variant of PuTTY that I use -- PuTTYTray, a portable version of PuTTY with some other features -- is at least delivered over https, although you still have to trust the developer.

Here it is the homepage https://puttytray.goeswhere.com/

you can also try to build it from source https://github.com/FauxFaux/PuTTYTray

What about Putty Tray?


They have some neat features and the website is under https.

it's even worse because there are forks of putty (like kitty, with one important mousewheel bug fix at least) that have bigger problems - e.g. see http://www.9bis.net/kitty/?page=Download.

Oh, the irony. Your website is blocked at work.


Installing Cygwin gives you an excellent terminal MinTTY as well as normal CLI ssh. It's my preferred way to do ssh on Windows.

My preferred way to do SSH on windows is to just install any linux distro in a virtual box VM with a minimalist window manager, fullscreen a console and mount all windows disks into it as shared drive if I want to scp things.

Why not fork PuTTY?

There are quite a few forks out there already, mostly with slightly better user interfaces. None of them seem to have much traction though.

There are also some pretty good commercial alternatives although they get drowned out by all the free stuff on Google.

Already been done. Meet KiTTY:


It's not nearly as stable as Putty though. It crashes for me a couple times a week (mainly when connecting to routers)

stay away from PuTTY!!

Antiviruses detected that their .exe was infected, and they solved it by removing the detection on the antiviruses

> 2015-04-19 PuTTY detected as malware

> We've had several reports recently of anti-virus software reporting PuTTY as malware (under a wide variety of names, often generic). This affects the latest release (0.64) and also the development snapshots (particularly puttygen).

> We believe these are false positives. In those cases where we've been able to contact the vendor (McAfee, Symantec, ClamAV), they have removed the detection.


What were they meant to do? The AV vendor only corrects the detection after verifying that it is a false-positive themselves presumably.

We've had false-positive AV detections a few times in the last couple years affect an open-source project I'm involved in, it is a massive support burden.

What would you suggest a developer do other than contact the AV vendor to get it sorted out, since they caused the false detection?

I read that as "the av vendors have removed the false positive". E.g. they fixed their wrong.

What lead you to a different interpretation?

Downloading BINARY software safely is impossible indeed. Downloading SOURCE software poses no security risk. As long as only human read those sources, to check for this software behavior.

WHEN the sources have been audited, and cleared for any security or other bugs, you may consider compiling them.

That's where the real crux of the problem lies: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp... http://c2.com/cgi/wiki?TheKenThompsonHack You cannot trust software more than you trust your compiler or your interpreter or in general, your processor.

Since big commercial OS providers are KNOWN to be collaborating with the NSA to but backdoors and spy on you in the first place, you cannot have any trust there anyways. Why worry about random binary software on the web, when your base OS is already compromized?

Otherwise, you may choose to use hardware that you trust, preferably, that you have built yourself. Alternatively, you may build a computer using triplicate parts from different sources (eg. put an Intel, an Elbrus-4C and a Godsoon, and compare bus traffic. As soon as a difference is detected, raise an exception and abort the process), similarly, put three different network controllers, made in three different countries, and compare output packets. As soon as there's a difference, drop the packets and signal the process. etc.

Once you've got a trustable hardware base, you can build a trustable software layer, using only sources and bootstrapping binaries by hand (with people you trust, preferably yourself), and as indicated in Countering Trusting Trust through Diverse Double-Compiling, http://www.acsa-admin.org/2005/abstracts/47.html you may implement also at the software level, a similar kind of redundancy that allows you to increase the trust you may have in your bootstrapping chain.

But there is no way out, you have to start from the sources, read them and consider only source code when exchanging software.

Notice that debian is a binary distribution. Gentoo is a source distribution. Gentoo is more trustworthy (but you need to be careful how you bootstrap its installation, which is not easy).

This is why licenses such as the AGPL, and also works to make software higher level and shorter (understandable and therefore trustable by end users) such as Alan Kay's, are important.

But nobody could possibly read all the source. There's 15 million lines in the Linux kernel alone and it changes frequently. Even a group of people couldn't manage it. Gentoo isn't "more trustworthy" because nobody has actually read all of its source. Its users simply trust the upstream source repository. That's no better than trusting apt/yum.

If you download source code from an insecure web site, then you might get source code that's different from the source code that other people have read, with malicious modifications. So the situation described in the article wouldn'tve been any better if the main download was in the form of source code; you'd have to carefully read the whole thing, rather than trust that other people have read the whole thing, which isn't feasible for more than a few small programs.

Security isn't a binary system. You can be compromised by the NSA and still be effectively safe. In the case of putty, you are trying to prevent yourself from downloading a compromised binary that steals credentials and send them on to black hats, script kiddies, bot-net farmers, people that do other illegal stuff and want to cover their traces.

You read all of Gentoo before compiling it?

Applications are open for YC Winter 2024

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact