Downloading Software Safely Is Nearly Impossible
03 March 2014 01:05 UTC
NOTE: I have written a follow-up post to
respond to some questions this post may raise.
Let’s say you have a brand-new Windows laptop and you’re just oh, so
happy. You’re pretty sure the NSA did not interdict
it during shipment, and thus that it comes only with the flaky goatware
Microsoft, Lenovo, and any number of Lenovo’s business partners intended for
it to have. Now all you need is an SSH client so that you can connect to
your Linux machines, and all will be peachy. Here is how to get an SSH
- Do a web search for [
windows ssh client ].
- Follow the first hit to http://www.putty.org/. Now, since you want
to get the good and true PuTTY that Simon Tatham wrote, and not some
unauthenticated malware, you check for the lock icon and the “https://” URL
scheme. It’s not there — worrying, considering that Tatham is supposedly an
encryption software developer.
- No need to worry, though; putty.org is not even owned by
Tatham. It’s currently owned by someone named “denis bider”, who
presumably just likes to domain-squat on other people’s product names and
provide links. OK. Let’s follow the link to...
Ahh, this has Tatham’s name right in the path part of the URL, so... wait,
is that good? Actually, no; only the hostname can indicate site
Kettlewell currently owns greenend.org.uk.
- Look for, and fail to find, the lock icon and the “https://” URL scheme.
Again, shouldn’t cryptography and security software — like all software — be
delivered always and only via an authenticated service?
- Manually add the “https://”. Note that the site does not respond to
HTTPS. Begin to doubt that this is the right site.
PuTTY is not available via HTTPS.
- Not to worry! Scroll down and note that Tatham offers links to RSA and
DSA cryptographic signatures of the binaries, e.g. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.RSA.
Note that earth.li is
currently owned by Jonathan McDowell. When you click the link to the
signature, you do indeed get an RSA signature of something, but there is no
way to know for sure who the signer was or what they signed — any attacker
who could have compromised the site to poison the executable PuTTY programs
(or performed a man-in-the-middle attack on your connection to the site)
could also just as easily have compromised the signatures.
- Attempt to download the signature via HTTPS instead, https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.RSA,
and note that the server responds with a 404. Become increasingly
Is this a bad sign? It feels bad.
- Take a breather to read Tatham’s
explanation of how overly-complex his signing infrastructure is, but not
why the delivery channel is anonymous.
- Briefly wonder if Tatham’s PGP keys are noted in a central registry,
such as MIT’s PGP key server. Nope.
- Briefly wonder if it matters that MIT’s PGP key server is
The MIT key server is
- Recall that even if you could get Tatham’s PGP key from an authenticated
key server, you’d still need to download a PGP program. Rather than repeat
the steps in this tutorial for GnuPG, give up and decide to download an
unauthenticated copy of PuTTY.
- Note that Tatham refers you to http://www.pc-tools.net/win32/freeware/md5sums/
for an MD5 calculator for Windows, and briefly consider at least checking
the anonymous (hence useless) MD5 digest for PuTTY. Noting that
www.pc-tools.net also does not respond to HTTPS, forego that waste of
- Having downloaded putty.exe, think long and hard before clicking on it.
Note that when you execute it, it will run with the full privilege of your
user account on this Windows machine. It will have the ability to read,
delete, and modify all your documents and emails, and will be able to post
your porn collection to Wikipedia.
- Hope that it does not.
- Click on putty.exe anyway. Connect to your account on your Linux server,
which is now also under the control of an unauthenticated program
from the internet. Consider that, if the download was not poisoned, this
thing calling itself “PuTTY” was written by a developer who might know how
to implement RSA in C, but who does not know how or why to use RSA. (Are you
even connected to your real Linux server, at this point? Hard to know.)
- Note that, suddenly, Web
Crypto is starting to look damn good despite the
under the same
origin policy and is sandboxed by Chrome’s
multi-process model, so it wouldn’t have the full run of your Windows