Let’s say you have a brand-new Windows laptop and you’re just oh, so
happy. You’re pretty sure the NSA did not interdict
it during shipment, and thus that it comes only with the flaky goatware
Microsoft, Lenovo, and any number of Lenovo’s business partners intended for
it to have. Now all you need is an SSH client so that you can connect to
your Linux machines, and all will be peachy. Here is how to get an SSH
client.
Follow the first hit to http://www.putty.org/. Now, since you want
to get the good and true PuTTY that Simon Tatham wrote, and not some
unauthenticated malware, you check for the lock icon and the “https://” URL
scheme. It’s not there — worrying, considering that Tatham is supposedly an
encryption software developer.
No need to worry, though; putty.org is not even owned by
Tatham. It’s currently owned by someone named “denis bider”, who
presumably just likes to domain-squat on other people’s product names and
provide links. OK. Let’s follow the link to...
Look for, and fail to find, the lock icon and the “https://” URL scheme.
Again, shouldn’t cryptography and security software — like all software — be
delivered always and only via an authenticated service?
Manually add the “https://”. Note that the site does not respond to
HTTPS. Begin to doubt that this is the right site. PuTTY is not available via
HTTPS.
Not to worry! Scroll down and note that Tatham offers links to RSA and
DSA cryptographic signatures of the binaries, e.g. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe.RSA.
Note that earth.li is
currently owned by Jonathan McDowell. When you click the link to the
signature, you do indeed get an RSA signature of something, but there is no
way to know for sure who the signer was or what they signed — any attacker
who could have compromised the site to poison the executable PuTTY programs
(or performed a man-in-the-middle attack on your connection to the site)
could also just as easily have compromised the signatures.
Briefly wonder if Tatham’s PGP keys are noted in a central registry,
such as MIT’s PGP key server. Nope.
Briefly wonder if it matters that MIT’s PGP key server is
unauthenticated.The MIT key server is
unauthenticated.
Recall that even if you could get Tatham’s PGP key from an authenticated
key server, you’d still need to download a PGP program. Rather than repeat
the steps in this tutorial for GnuPG, give up and decide to download an
unauthenticated copy of PuTTY.
Note that Tatham refers you to http://www.pc-tools.net/win32/freeware/md5sums/
for an MD5 calculator for Windows, and briefly consider at least checking
the anonymous (hence useless) MD5 digest for PuTTY. Noting that
www.pc-tools.net also does not respond to HTTPS, forego that waste of
time.
Having downloaded putty.exe, think long and hard before clicking on it.
Note that when you execute it, it will run with the full privilege of your
user account on this Windows machine. It will have the ability to read,
delete, and modify all your documents and emails, and will be able to post
your porn collection to Wikipedia.
Hope that it does not.
Click on putty.exe anyway. Connect to your account on your Linux server,
which is now also under the control of an unauthenticated program
from the internet. Consider that, if the download was not poisoned, this
thing calling itself “PuTTY” was written by a developer who might know how
to implement RSA in C, but who does not know how or why to use RSA. (Are you
even connected to your real Linux server, at this point? Hard to know.)
