Is there a secure way to download PuTTY? They are hosting on a http page. Though they provide RSA and DSA signatures how would I verify the signatures themselves? I'm kind of new to walking through trust paths. I don't even have any entry point too since nobody I know use public key encryption (I trust the Debian keys already though since I use their distro, maybe I can use that for a starting point?).
My best bet would be to download the signatures and keys from different mirrors and sources to limit the possibility of a successful targeted MITM attack.
> Though they provide RSA and DSA signatures how would I verify the signatures themselves?
Ideally, it goes something like this --
1. Start with the master keys. Download them from their website & import them into your keyring.
2. Fetch signatures for those keys from some key servers. (E.g. gpg --recv-keys 6A93B34E).
3. Examine the signatures (E.g. gpg --list-sigs 6A93B34E). Do you trust anybody in that list to have verified the ownership of the keys?
If "yes", then import the release keys and verify that _they_ have been signed by the master keys. You can use the release keys to verify the downloaded binary.
If "no", then you might recurse down those keys to see if you know anyone who signed any of _them_. At this point, you'll need to consider very carefully what your trust policy is going to be.
How does that make it more secure? HTTPS doesn't do anything to stop an attacker accessing the host and changing the contents. If you are concerned by MITMA then download from multiple nations and compare or download the source and build it yourself
I used to be a huge PuTTY (or derative) user, but recently, I've switched to just using the normal OpenSSH command-line client within Cygwin and ConEmu.
While PuTTY is nice, it lacks some features, like proxycommands and stuff which are standard in ~/.ssh/config. Things which can be taken along in a simple & portable fashion.
No disrespect to PuTTY, but I just found myself not really needing it anymore.
You can also get many unix commands, including ssh, from the git packages. They work remarkably well, with the limit being you get to run them in `cmd` or `powershell` windows.
Another security hole of PuTTY is downloads being served over non-SSL.
I should know better and check the sigs using PGP and checksums, but on Windows this is such a drag that I just end up whispering hallelujah praise the Lord, and hoping for the best.
Get the keybase.io client, it sets up your GPG pretty nicely. I was able to confirm the downloads on Windows using the standard ``gpg --verify putty.DSA.asc`` and it just worked(tm) in a cmd.exe window. Using the keybase client does not, however, as the signing key for the putty binaries is not on keybase.
Not saying anything about how much sense it makes to verify the downloads, just saying that it does work well on Windows, without any cygwin, mingw or whatever.
[+] [-] leni536|11 years ago|reply
Is there a secure way to download PuTTY? They are hosting on a http page. Though they provide RSA and DSA signatures how would I verify the signatures themselves? I'm kind of new to walking through trust paths. I don't even have any entry point too since nobody I know use public key encryption (I trust the Debian keys already though since I use their distro, maybe I can use that for a starting point?).
My best bet would be to download the signatures and keys from different mirrors and sources to limit the possibility of a successful targeted MITM attack.
[+] [-] 286c8cb04bda|11 years ago|reply
Ideally, it goes something like this --
1. Start with the master keys. Download them from their website & import them into your keyring.
2. Fetch signatures for those keys from some key servers. (E.g. gpg --recv-keys 6A93B34E).
3. Examine the signatures (E.g. gpg --list-sigs 6A93B34E). Do you trust anybody in that list to have verified the ownership of the keys?
If "yes", then import the release keys and verify that _they_ have been signed by the master keys. You can use the release keys to verify the downloaded binary.
If "no", then you might recurse down those keys to see if you know anyone who signed any of _them_. At this point, you'll need to consider very carefully what your trust policy is going to be.
[+] [-] easytiger|11 years ago|reply
[+] [-] akavel|11 years ago|reply
[+] [-] josteink|11 years ago|reply
While PuTTY is nice, it lacks some features, like proxycommands and stuff which are standard in ~/.ssh/config. Things which can be taken along in a simple & portable fashion.
No disrespect to PuTTY, but I just found myself not really needing it anymore.
[+] [-] fbristow|11 years ago|reply
[1]: http://mobaxterm.mobatek.net/
[+] [-] falcolas|11 years ago|reply
[+] [-] luxpir|11 years ago|reply
Putty allowed for more secure remote working when on untrusted networks, but not having to constantly enter credentials is much more preferable.
[+] [-] icc97|11 years ago|reply
I found it very useful for connecting to vagrant boxes.
[+] [-] gruturo|11 years ago|reply
[+] [-] el_duderino|11 years ago|reply
http://www.netsarang.com/products/xsh_overview.html
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] nothrabannosir|11 years ago|reply
I should know better and check the sigs using PGP and checksums, but on Windows this is such a drag that I just end up whispering hallelujah praise the Lord, and hoping for the best.
I know it's my fault, but I'd still like SSL :(
[+] [-] xrstf|11 years ago|reply
Get the keybase.io client, it sets up your GPG pretty nicely. I was able to confirm the downloads on Windows using the standard ``gpg --verify putty.DSA.asc`` and it just worked(tm) in a cmd.exe window. Using the keybase client does not, however, as the signing key for the putty binaries is not on keybase.
Not saying anything about how much sense it makes to verify the downloads, just saying that it does work well on Windows, without any cygwin, mingw or whatever.
[+] [-] shawabawa3|11 years ago|reply
Kind of pointless. If the download has been compromised so have the checksums
[+] [-] nodata|11 years ago|reply
[+] [-] tapirl|11 years ago|reply
[+] [-] falcolas|11 years ago|reply
[+] [-] pbowyer|11 years ago|reply
[+] [-] iso8859-1|11 years ago|reply