Downloading Software Safely Is Nearly Impossible

Let’s say you have a brand-new Windows laptop and you’re just oh, so happy. You’re pretty sure the NSA did not interdict it during shipment, and thus that it comes only with the flaky goatware Microsoft, Lenovo, and any number of Lenovo’s business partners intended for it to have. Now all you need is an SSH client so that you can connect to your Linux machines, and all will be peachy. Here is how to get an SSH client.

  1. Do a web search for [ windows ssh client ].
  2. Follow the first hit to http://www.putty.org/. Now, since you want to get the good and true PuTTY that Simon Tatham wrote, and not some unauthenticated malware, you check for the lock icon and the “https://” URL scheme. It’s not there — worrying, considering that Tatham is supposedly an encryption software developer.
  3. No need to worry, though; putty.org is not even owned by Tatham. It’s currently owned by someone named “denis bider”, who presumably just likes to domain-squat on other people’s product names and provide links. OK. Let’s follow the link to...
  4. http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. Ahh, this has Tatham’s name right in the path part of the URL, so... wait, is that good? Actually, no; only the hostname can indicate site ownership. Richard Kettlewell currently owns greenend.org.uk.
  5. Look for, and fail to find, the lock icon and the “https://” URL scheme. Again, shouldn’t cryptography and security software — like all software — be delivered always and only via an authenticated service?
  6. Manually add the “https://”. Note that the site does not respond to HTTPS. Begin to doubt that this is the right site.
    PuTTY is not available via HTTPS.
    PuTTY is not available via HTTPS.
  7. Not to worry! Scroll down and note that Tatham offers links to RSA and DSA cryptographic signatures of the binaries, e.g. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.RSA. Note that earth.li is currently owned by Jonathan McDowell. When you click the link to the signature, you do indeed get an RSA signature of something, but there is no way to know for sure who the signer was or what they signed — any attacker who could have compromised the site to poison the executable PuTTY programs (or performed a man-in-the-middle attack on your connection to the site) could also just as easily have compromised the signatures.
  8. Attempt to download the signature via HTTPS instead, https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.RSA, and note that the server responds with a 404. Become increasingly suspicious.
    Is this a bad sign? It feels bad.
    Is this a bad sign? It feels bad.
  9. Take a breather to read Tatham’s explanation of how overly-complex his signing infrastructure is, but not why the delivery channel is anonymous.
  10. Briefly wonder if Tatham’s PGP keys are noted in a central registry, such as MIT’s PGP key server. Nope.
  11. Briefly wonder if it matters that MIT’s PGP key server is unauthenticated.
    The MIT key server is unauthenticated.
    The MIT key server is unauthenticated.
  12. Recall that even if you could get Tatham’s PGP key from an authenticated key server, you’d still need to download a PGP program. Rather than repeat the steps in this tutorial for GnuPG, give up and decide to download an unauthenticated copy of PuTTY.
  13. Note that Tatham refers you to http://www.pc-tools.net/win32/freeware/md5sums/ for an MD5 calculator for Windows, and briefly consider at least checking the anonymous (hence useless) MD5 digest for PuTTY. Noting that www.pc-tools.net also does not respond to HTTPS, forego that waste of time.
  14. Having downloaded putty.exe, think long and hard before clicking on it. Note that when you execute it, it will run with the full privilege of your user account on this Windows machine. It will have the ability to read, delete, and modify all your documents and emails, and will be able to post your porn collection to Wikipedia.
  15. Hope that it does not.
  16. Click on putty.exe anyway. Connect to your account on your Linux server, which is now also under the control of an unauthenticated program from the internet. Consider that, if the download was not poisoned, this thing calling itself “PuTTY” was written by a developer who might know how to implement RSA in C, but who does not know how or why to use RSA. (Are you even connected to your real Linux server, at this point? Hard to know.)
  17. Note that, suddenly, Web Crypto is starting to look damn good despite the objections of the native code chauvinists. At least JavaScript runs under the same origin policy and is sandboxed by Chrome’s multi-process model, so it wouldn’t have the full run of your Windows user account.
  18. Despair.