Downloading Software Safely Is Nearly Impossible

The problem is much worse than this contrived &#x27;I cant download PuTTY securely&#x27;. Lets choose an example, of which I have had my hands in with my tech support job.<p><i></i>* Goal: &quot;Download Firefox&quot;<p>First, the user was using IE. And the user is not a tech savvy user (as in, cannot read words on the screen). Turns out, the user&#x27;s computer was infested with spyware and garbageware. Mainly Conduit and others.<p>Evidently, user &quot;searched&quot; for firefox rather than follow my directions to type in the address bar <a href="https://www.mozilla.org" rel="nofollow">https:&#x2F;&#x2F;www.mozilla.org</a> . This behavior lead him here: <a href="http://firefox.en.softonic.com/" rel="nofollow">http:&#x2F;&#x2F;firefox.en.softonic.com&#x2F;</a><p>Normally, I would use a remote support tool and just do the cleaning for the user. However, this client comes from another area in which we are not allowed to use the remote support tool.<p>In the end, I tried to have user uninstall the bad-firefox, and attempt to install the good, but the softonic installer installs a ton of crap everywhere. User got very frustrated and hung up when having him read the uninstall programs installed list. <i></i>*<p>That is the danger to most users, running Windows.<p>EDIT: For the user whom penalized my comment score, why?

If you think you&#x27;re safe: it&#x27;s the same thing with Linux. Yes, good distros sign their blobs and you can probably verify that with builtin tools.<p>However, consider how distros generate their signed binaries:<p>1) A packager downloads a random tarball off the internet, often over HTTP and&#x2F;or unsigned and unverified.<p>2) The packager uploads the same tarball to the distro build system (you trust them, right?)<p>3) The packager&#x27;s script for building the program or library is executed by the build server (you trust all of the packagers, right? they have implicit root access to your machine during pkg install.)<p>4) The packager&#x27;s script likely invokes `.&#x2F;configure` or similar. Now even if you trust the packager, the downloaded source has arbitrary code execution. You verified it, right???<p>(Not trying to advocate for webcrypto. And I&#x27;m a Linux user. But I&#x27;m also a packager, and I have some awareness as to how one would go about pwning all users of my distro.)

It looks like Windows 8.1 is whitelisting PuTTY by hash or signature: nothing to see here.<p>Repro steps (Windows 8.1, desktop IE 11 or Chrome 33):<p>1. Download putty.exe from any shady source<p>2. PuTTY runs without prompting<p>3. go to mega.co.nz (an <i>extremely</i> shady source), upload your copy of putty.exe<p>4. download it again<p>5. this version of putty.exe also runs without prompting<p>6. open your hex editor of choice, change a byte in a text string<p>7. upload this tampered version of putty.exe to mega.co.nz<p>8. download and run it<p>9. observe full-screen modal red banner: &quot;Windows Protected Your Computer&quot; requesting an Administrator password to run suspicious binaries.

Before reading the article, I wanted to write a rant on why the TFA is wrong, based solely on the title :-) ALAS, I was wrong, especially because I downloaded Putty myself from putty.org, whenever I happened to play with Windows machines, without thinking once that putty.org is not the official source. And I&#x27;m a very security conscious user and if I can&#x27;t protect myself, then normal users don&#x27;t stand a chance.<p>Just a note - PGP signing renders HTTPS useless for downloading the binaries themselves and works by establishing a chain of trust, the problem is with distributing the public key. It&#x27;s the public key that must be distributed either over HTTPS and&#x2F;or through a public key server, letting other users digitally sign your certificate and thus endorse the association of this public key - a system that works great for popular repositories of software (e.g. Debian), in which the participating developers&#x2F;maintainers know each other. Once the authenticity of the public key is correctly established, there&#x27;s no way for an attacker to create&#x2F;forge the signed binary, unless said attacker gets ahold of the private key, which is way more difficult than hacking a web server, as normally private keys don&#x27;t end up on those servers (so it is more secure than HTTPS). For example, in Ubuntu if you&#x27;re willing to install packages from PPAs of third-parties, you first need to indicate that you trust the public key with which those packages were signed, otherwise apt-get will refuse to install said packages.<p>A reasonable alternative to PGP signing is S&#x2F;MIME signing, which is more user-friendly, as it doesn&#x27;t involve the users vetting scheme, but rather certificates are issued by a certificate authority, just like with HTTPS&#x2F;SSL. S&#x2F;MIME is weaker against the NSA, but it does work well for signing stuff and it&#x27;s more user friendly, because to establish trust, you only have to trust the certificate authority (and of course the developer).<p>Binaries on OS X are also distributed as signed with the developer&#x27;s key and OS X refuses to install unsigned binaries or binaries signed by unknown developers, unless you force it to. And while I have mixed feelings about the App Store direction in which Apple is taking OS X, I&#x27;ve began to like this restriction, in spite of the money you have to pay yearly to register as a developer (as long as you can download signed binaries straight from the Internet and thus not completely locked into Apple&#x27;s walled garden, it&#x27;s all good). Signing binaries and having a user-friendly way to establish trust in the used signing key should be the norm in all operating systems.

<i>The moral is obvious. You can&#x27;t trust code that you did not totally create yourself.</i> -- Ken Thompson[^1]<p>[^1]: Reflections on Trusting Trust. ACM Turing Award Lecture, 1984, <a href="https://dl.acm.org/citation.cfm?id=358210" rel="nofollow">https:&#x2F;&#x2F;dl.acm.org&#x2F;citation.cfm?id=358210</a>

I hate the &quot;feudalization&quot; direction that OSes are moving in -- requiring certificates, app stores, etc. At the same time, I get why it&#x27;s happening.<p>It really mirrors the historical reasons for feudalism in the real world. When the Roman empire collapsed, people needed protection from marauding hordes. So they cozied up to the nearest powerful group, forming kingdoms. People tolerated the abuses of kings and nobility in exchange for protection from anarchistic threats.<p>That&#x27;s exactly what&#x27;s happening to OSes: people are accepting feudalization in exchange for protection from malware.<p>Unless we find ways to really empower the user here, it&#x27;s only going to get worse. We will end up with a fully feudal Internet.

I think the general message here that a lot of commenters are missing is that the Right Thing is way to flipping hard to get right. The fact that PuTTy itself is not distributed securely seems to underscore the fact that even highly interested hobbiest have trouble getting it right. How can you expect everyone to be secure when you expect them to be security experts to get everything right?<p>Or in other words, despite clearly thinking they&#x27;re the smartest people in the room, security programmers are dumber than shit when it comes to actually making it possible to use their software.

Downloading software safely is nearly impossible <i>on windows</i>. Probably because there&#x27;s no demand for it - people who care about security don&#x27;t use windows. PuTTY is one guy&#x27;s hobbyist project.<p>(If you insist on using windows, what about downloading SUA from microsoft themselves? That way you get a working SSH client without trusting anyone you weren&#x27;t already trusting)

People complain that OS X requires apps to be signed by Apple (by default). But in reality, it&#x27;s the sanest solution to this problem.<p>When the OS enforces signature checking, you don&#x27;t have to worry about whether it was downloaded over HTTP or who owned the domain name.

One solution I advocate for is more widespread adoption of Chocolatey (<a href="http://chocolatey.org" rel="nofollow">http:&#x2F;&#x2F;chocolatey.org</a>).<p>I can<p>cinst putty<p>and get what I need automatically.<p>Sure, I have to trust the maintainer, but you know, if more people used Chocolatey to install packages, more people might be able to ensure it&#x27;s safe.<p>It&#x27;s not bulletproof but it sure is better than searching the web for the right download.

Correction for step#10: the Putty keys are on the MIT keyservers, just not under Tatham&#x27;s name, although they&#x27;re only 1024-bit keys: <a href="http://pgp.mit.edu/pks/lookup?op=vindex&amp;search=0xEF39CCC0B41CAE29" rel="nofollow">http:&#x2F;&#x2F;pgp.mit.edu&#x2F;pks&#x2F;lookup?op=vindex&amp;search=0xEF39CCC0B41...</a>

I challenge anyone to try and find a Minecraft mod without adware or spyware. Conduit and AdFly are everywhere.

I hope that sometime in the near future, when everything has been locked-down so much in the name of security that the situation becomes the exact opposite, someone will write an article titled &quot;Downloading Software Freely Is Nearly Impossible&quot;. Don&#x27;t get me wrong, I think security is a good thing, but I also think there has to be a balance between that and freedom. One of the most secure places to live in is a prison.<p>As the saying goes, &quot;Those who sacrifice freedom for security deserve neither.&quot;

Ah! A trick question game. The correct answer is to wipe off Windows and install Linux off your flash drive, right?

I&#x27;ve become acutely aware of this over the past couple days. I&#x27;m setting up a new a laptop, using VMs for all work. Getting VMware is easy - it&#x27;s signed. But from there? Things start sucking. I need to fix my &quot;ThinkPad&quot; fan and trackpad (new ThinkPads don&#x27;t actually have a middle button despite the dots appearing like they are one) - gotta download unsigned blobs.<p>Since I want as little software installed on the host as possible, I&#x27;m going to have to start a VM on something like Azure (easiest) with Visual Studio, and build my own copies of these tools if possible. The culture of building stuff on Windows is fairly weak, so I imagine I&#x27;ll run into all sorts of issues.<p>It&#x27;s pretty embarrassing that Windows doesn&#x27;t ship with a lightweight way of creating &quot;VMs&quot; to increase security. Something like Sandboxie would be a welcome piece of OS functionality.<p>The JS crypto comment is off-base. The discussion about JS crypto is that it&#x27;s pointless because it&#x27;s only as strong as TLS - it doesn&#x27;t provide anything else, and it&#x27;s very easy to get it wrong and get more damaged (due to ease of XSS and whatnot). Sandboxed execution is a fantastic thing, and even MS tried that with .NET and it&#x27;s million code-access-security policies. And now everyone does that with Android&#x2F;Windows Store style permissions (although not as fine grained).

As much I understand, even HTTPS and its infrastructure has plenty of holes.<p>How was this, that some people broke into a signature authority and stole master-keys -- so a huge number of keys where compromised. I don&#x27;t know, if that thing was repaired yet. Also there exist many authorities that give keys to people without the simplest identity check. Such keys are a security risk of its own.<p>I also don&#x27;t know, how good (or bad) the key withdrawal mechanism is working currently. I remember darkly (I am not current in these things) that there existed some problems with existing browsers, infrastructure and so on ...<p>And even, when those things would work fine ... as much I know, there exist holes in the implementation, depending which algo combination is used.<p>So there are so many attack vectors, that even in the best case (https works fine and you have a domain that belongs to the correct author ... and you have checksums ... and you check, if your browser tells you, that the certificate is perfect (who in the internet age cares, when the browser says that the certificate has some problem??) ...) there seems to be no security in the internet age ....<p>(And I am not even speaking or thinking about governments spying on us all)

So basically he does a web search for &quot;Windows ssh client&quot; (generic seo spammed terms) when he knows he wants putty (specific) and is surprised that the official putty page is not the #1 hit.<p>I&#x27;d hardly call that a bulletproof argument.

&gt;&gt; Note that, suddenly, Web Crypto is starting to look damn good<p>OK so we can also boot Linux in a browser, if you stick with it apparently you can do just about anything in JavaScript if you&#x27;re willing to spend the CPU cycles to do it.<p>Why? ChromeBook as an example, why move everything into the browser so that the OS is minimized or even removed, you&#x27;re still going to face the same software problems.

A challenge: what would the best remedies to this situation be? Should we be pressuring OSes to come with PGP ware and other basic tools by default, for instance?

The title is missing a word: it should be &quot;Downloading <i>Windows</i> Software Safely Is Nearly Impossible&quot;. Similar remarks would apply to OS X for any software not supplied by Apple. Fortunately, Linux distros have package managers.

I prefer to search on Wikipedia, it has a link to the official website in a predictable way.<p>e.g. <a href="http://en.wikipedia.org/wiki/PuTTY" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;PuTTY</a> points to Putty&#x27;s official website: <a href="http://www.chiark.greenend.org.uk/~sgtatham/putty" rel="nofollow">http:&#x2F;&#x2F;www.chiark.greenend.org.uk&#x2F;~sgtatham&#x2F;putty</a><p>Putty is open source (MIT), one could build it from source and even audit the code. Nevertheless, thanks for pointing it out.

&quot;It’s currently owned by someone named “denis bider”, who presumably just likes to domain-squat on other people’s product names and provide links. &quot;<p>Another slam against squatters as usual. I really really wish people would stop with that already.<p>Whoever Denis Bider is he has no obligation to even put up links to putty. He could sell the domain name maybe even to these people who don&#x27;t appear to be &quot;using&quot; (by the HN and generally acceptable definition of &quot;using&quot;). In other words <a href="http://putty.com/" rel="nofollow">http:&#x2F;&#x2F;putty.com&#x2F;</a><p>For the last time. There is no requirement to use a domain name and there never has been a requirement to use a domain name. And there are many people and companies who just sit on names and don&#x27;t want to sell (because they don&#x27;t need the money).<p>Talk to google about duck.com and see if you can buy it. You won&#x27;t be able to.<p>Anyway he could put up a webpage as his personal blog or any number of things.<p>Just because you happen to have a product using a particular name does&#x27;t mean you own that name in every tld (.com .net .org .info .us .biz and so on).<p>.org isn&#x27;t even .com nor as desirable except perhaps for non profits.

I&#x27;m feeling this severely with our build tools at the moment. I use Maven to build all of my java projects. Maven will pull down library dependencies from the Maven central repository or other independent repos that you may have configured. I noticed recently that none of my Maven clients were validating checksums on the libraries that we pull down.<p>This came about when the domain for codehaus.com expired and it transferred over to a parked site that responded to all requests with advertising. I ended up with a bunch of HTML files where I was expecting library jars. In this case it was merely annoying and caused some tests and builds to fail. If they had instead been providing malicious code that almost looked like legit libraries it could have gone un-noticed for a long time.

These concerns are remarkably similar to my recent experience[0] with the Apple software update, which nobody on StackExchange seems interested in answering. I&#x27;m still very much interested in educated opinions on that matter, if anyone cares to take a look. I&#x27;d be particularly grateful if someone with knowledge of TCP could explain to me whether or not all those duplicate ACKs are of concern. (Note that I understand the question&#x27;s assertions on code signing may not be correct)<p><pre><code> [0]: http:&#x2F;&#x2F;security.stackexchange.com&#x2F;questions&#x2F;52357&#x2F;what-is-going-on-with-my-download-of-the-recent-apple-security-update</code></pre>

There is absolutely nothing wrong with HTTP. You are supposed to verify signing keys <i>after</i> you download them anyway, regardless of your source and tranfer method.<p>Yes, that may often be hard, or nearly impossible. WOT sadly often only works for people you can personally verify anyway.<p>(With HTTPS, you better wish the author chose a reputable and more expensive certificate authority which can be trusted not to give certificates without proper proof of address ownership. Otherwise, verifying the website certificate may be as hard has verifying personal keys.)

Anyone else think it&#x27;s kind of silly that he&#x27;s a mac guy (all of his screenshots are of old OS X) and his example is downloading PuTTY? Recent OS X versions all come with ssh client.

I&#x27;ve looked around, and the only free SSH tool for Windows that has a single HTTPS mirror is &#x27;kitty&#x27;: <a href="https://www.wuala.com/9bis.com/public/build/" rel="nofollow">https:&#x2F;&#x2F;www.wuala.com&#x2F;9bis.com&#x2F;public&#x2F;build&#x2F;</a><p>There&#x27;s binary OpenSSH releases for Windows, but they&#x27;re all hosted on sites that don&#x27;t do HTTPS. It seems like all Windows free software has a general lack of following security best practices when releasing or mirroring software.

<p><pre><code> Downloading *Putty* Safely Is Nearly Impossible.</code></pre>

It has always seemed strange to me that putty which is still probably the most used ssh client for windows is available through such strange distribution methods. I wholeheartedly appreciate the time the author took to rant-ishly dissect this to a most myopic level. Even though it may reveal a most tortured and disturbed psyche.<p>Step 18 is probably the inevitable step that follows thinking about something too much.

You could download the installer and notice that it is signed by Simon and then feel secure. But writing a long rant works too.

Is the author seriously advertising google chrome as a safe way to download software ? The very browser known to exist to increase the reach of google surveillance of what people do on the web doesn&#x27;t seem to possibly be part of a solution here.<p>Those who give up privacy expecting to gain download safety will lose both.

I noticed this the other day as well. I was trying to download GnuPG. GnuPG.org, including the download page and checksums, is served entirely over http.<p>Even if it is open source, am I expected to pore over thousands of lines of code to verify that it hasn&#x27;t been compromised?

Now let&#x27;s talk about how we are supposed to sign webApps in a way similaire to debian package distribution as to be able to actually trust one you d&#x2F;l online and be able to trace the update you might receive by revisiting the page?

I wrote a blog article covering many of these issues. I am no Bruce Shneier, but I think there are good solutions:<p><a href="https://news.ycombinator.com/item?id=7337976" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7337976</a>

This reminds me &quot;The Ken Thompson Hack&quot; <a href="http://c2.com/cgi/wiki?TheKenThompsonHack" rel="nofollow">http:&#x2F;&#x2F;c2.com&#x2F;cgi&#x2F;wiki?TheKenThompsonHack</a>

Flash Player updates are offered for download over insecure HTTP. Meanwhile you can&#x27;t run Flash until you install the update (I assume it was a security fix).

<a href="http://www.oldversion.com/windows/putty/" rel="nofollow">http:&#x2F;&#x2F;www.oldversion.com&#x2F;windows&#x2F;putty&#x2F;</a>

This is (partly) why I install from the official Debian repos even if newer versions of a piece of software are available on the web.

I went through this exercise a year ago but was only about one-third as vigilant as Chris. I still did step 18, though.

Is there actually a legitimate reason that the MIT PGP server <i>doesn&#x27;t</i> have HTTPS?

Isn&#x27;t the problem just that the developer has not signed the Putty binary?

Yet despite it being nearly impossible it happens everyday for 99.99% of users.

Or you know you could just use linux.

Get putty from your old laptop

Use a package manager.

After reading his article, it looks like if you cared about security, you made a mistake even before attempting to download putty.exe. Your first mistake was to be installing Microsoft Windows as your OS. Once you did that, you threw security out the window. You are already owned by the NSA. Not sure if you know that or not. Good luck with whatever you do from that point on, it doesn&#x27;t really matter that you used https versus http. You were already compromised.