Letâs say you have a brand-new Windows laptop and youâre just oh, so
happy. Youâre pretty sure the NSA did not interdict
it during shipment, and thus that it comes only with the flaky goatware
Microsoft, Lenovo, and any number of Lenovoâs business partners intended for
it to have. Now all you need is an SSH client so that you can connect to
your Linux machines, and all will be peachy. Here is how to get an SSH
client.
Follow the first hit to http://www.putty.org/. Now, since you want
to get the good and true PuTTY that Simon Tatham wrote, and not some
unauthenticated malware, you check for the lock icon and the âhttps://â URL
scheme. Itâs not thereâââworrying, considering that Tatham is supposedly an
encryption software developer.
No need to worry, though; putty.org is not even owned by
Tatham. Itâs currently owned by someone named âdenis biderâ, who
presumably just likes to domain-squat on other peopleâs product names and
provide links. OK. Letâs follow the link to...
Look for, and fail to find, the lock icon and the âhttps://â URL scheme.
Again, shouldnât cryptography and security softwareâââlike all softwareâââbe
delivered always and only via an authenticated service?
Manually add the âhttps://â. Note that the site does not respond to
HTTPS. Begin to doubt that this is the right site. PuTTY is not available via
HTTPS.
Not to worry! Scroll down and note that Tatham offers links to RSA and
DSA cryptographic signatures of the binaries, e.g. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.RSA.
Note that earth.li is
currently owned by Jonathan McDowell. When you click the link to the
signature, you do indeed get an RSA signature of something, but there is no
way to know for sure who the signer was or what they signedâââany attacker
who could have compromised the site to poison the executable PuTTY programs
(or performed a man-in-the-middle attack on your connection to the site)
could also just as easily have compromised the signatures.
Briefly wonder if Tathamâs PGP keys are noted in a central registry,
such as MITâs PGP key server. Nope.
Briefly wonder if it matters that MITâs PGP key server is
unauthenticated.The MIT key server is
unauthenticated.
Recall that even if you could get Tathamâs PGP key from an authenticated
key server, youâd still need to download a PGP program. Rather than repeat
the steps in this tutorial for GnuPG, give up and decide to download an
unauthenticated copy of PuTTY.
Note that Tatham refers you to http://www.pc-tools.net/win32/freeware/md5sums/
for an MD5 calculator for Windows, and briefly consider at least checking
the anonymous (hence useless) MD5 digest for PuTTY. Noting that
www.pc-tools.net also does not respond to HTTPS, forego that waste of
time.
Having downloaded putty.exe, think long and hard before clicking on it.
Note that when you execute it, it will run with the full privilege of your
user account on this Windows machine. It will have the ability to read,
delete, and modify all your documents and emails, and will be able to post
your porn collection to Wikipedia.
Hope that it does not.
Click on putty.exe anyway. Connect to your account on your Linux server,
which is now also under the control of an unauthenticated program
from the internet. Consider that, if the download was not poisoned, this
thing calling itself âPuTTYâ was written by a developer who might know how
to implement RSA in C, but who does not know how or why to use RSA. (Are you
even connected to your real Linux server, at this point? Hard to know.)
