What reputable site should I download Putty from?

Question

I recently did a Bing search for Putty and can only guess at which distribution is "trusted", contains no malware, or sleuthing code.

If you needed to download Putty for a high security Windows installation, where would you get the Binaries from? Would you compile from source?

@Rell3oT: It's just a linking-page for several projects, you cannot download anything from there. — Manuel Faux, Nov 15 '12 at 17:42
Well yes but it is the official site (after you click on the putty link) which goes to the link posted by you. I'm just curious why using the official site isn't obvious to do... — , Nov 15 '12 at 17:47
@Rell3oT: putty.org doesn't look like an official site at all - it is run by Bitvise, who sell a rival SSH client. Seems like domain squatting to me... — bobince, Nov 16 '12 at 10:48
@bobince - You are 100% right that is exactly what is happening. Of course it also links to the official site. — Ramhound, Nov 16 '12 at 14:00
@Rell3oT hmm... my putty-link in "Putty - About" links to http://www.chiark.greenend.org.uk/~sgtatham/putty/ — Bonsi Scott, Nov 16 '12 at 22:36
http://www.chiark.greenend.org.uk/~sgtatham/putty/ is the official page of the creator of putty, last updated in September. He provides check-sums and source code for you to compile against as well as a link to git if you'd rather pull and compile over a secure connection — Robert Mennell, Oct 22 '15 at 03:01

score 22 · Accepted Answer · edited Nov 15 '12 at 21:10

22

The official site is www.chiark.greenend.org.uk/~sgtatham/putty, you can find the download in the download section. If you want to play it safe, you can verify the signature of the download.

In my opinion compiling it from source is as safe as downloading the binary and checking the signature (make sure to also verify the key itself with at least one trusted signer). Unless you review the source code (including all needed libraries) there is no point in spending the added effort of compiling it yourself since both parts, the source code and the binaries, are signed with the same key.

The only advantage you gain by compiling it yourself is the opportunity to review the code so as to mitigate the risk that the authors of PuTTY could have add some backdoors or malware to it. But again, you would have to thoroughly review the code and all needed libraries to actually gain that benefit.

edited Nov 15 '12 at 21:10

Iszi

26,997
18
98
163

answered Nov 15 '12 at 17:22

Manuel Faux

407
3
9

9

Relevant: http://security.stackexchange.com/questions/1687/does-hashing-a-file-from-an-unsigned-website-give-a-false-sense-of-security Note that file hashing in these cases is not generally intended to provide any security benefit - it's to ensure the integrity of the transmission. Unless the site displaying the hash is transferred over an authenticated connection, it's possible for a hacker to compromise the site and replace both file & hash with their own malicious copy. At that point, hash validation is useless for security. – Iszi Nov 15 '12 at 20:55
2

Yeah, it's a shame Tatham doesn't have an HTTPS server... man-in-the-middling chiark would seem to be a likely-fruitful attack. – bobince Nov 16 '12 at 10:51
You could also run a vm and use that as a terminal. – munchkin May 20 '15 at 17:59
It seems that first you have to prove (or at least make some sort of argument) that "`The official site is www.chiark.greenend.org.uk/~sgtatham/putty`". – H2ONaCl Dec 26 '17 at 04:51

score 5 · Answer 2 · answered Jul 01 '17 at 01:25

As of May 2017 (!), the official PuTTY website is available over HTTPS.

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Combined with the HTTPS download links added a little while earlier, this finally provides the first practical way to download a verified copy of PuTTY.

Welcome to the future.

score 3 · Answer 3 · edited Oct 22 '15 at 03:13

3

It's nearly impossible to verify that you get a clean copy of putty. As described in this neat article (not written by me)

https://noncombatant.org/2014/03/03/downloading-software-safely-is-nearly-impossible/

tldr of the article is: Putty binaries, signatures and download sites cannot be trusted because they do not even use SSL/Https. Would be very easy for a man in the middle attack to be able to modify the signatures and the binaries, and give you an evil version of putty.exe and a signature/checksum that corresponds to the intercepted executable.

edited Oct 22 '15 at 03:13

Robert Mennell

6,968
1
13
38

answered Oct 22 '15 at 02:50

user158443

151
1

1

Except: https://the.earth.li/~sgtatham/putty/0.65/x86/ which is the official download source .... It uses TLS and the files that the author couldn't download, downloaded fine for me. – schroeder Oct 22 '15 at 03:06
2

While this download URL does use TLS, it's not totally obvious to a new user of putty that this URL is the official download location. The identity of that server is not clearly connected to the putty software, so without knowing it has been that way for years, it is hard to trust it. – Mnebuerquo Aug 22 '16 at 13:30
@schroeder if you bothered to read the article I linked to it states why that url is not a good idea. – user158443 Feb 23 '17 at 08:53
I'm responding to your comment that it does not use TLS: it does. You may have other reasons for not wanting to use it, but that part of your answer is incorrect. (I got the link from the article you cite...) – schroeder Feb 28 '17 at 07:39

score 1 · Answer 4 · answered Feb 20 '17 at 11:10

1

Another good option is the official winscp website , the connection is secured with TLS.

answered Feb 20 '17 at 11:10

Yassin

119
1

score 1 · Answer 5 · answered Nov 08 '14 at 21:10

Download same version from top-10 results for "putty homepage" returned by your favorite search engine, and compare them. If they are not all completely the same, abort the installation. Otherwise, install it (from any of downloaded bitwise-identical copies, of course).

If you need more security, interpolate results from different search engines and increase the number of downloads.

Simple, effective, and usually works quite well for such low amount of effort.

To be more sure, download source, have several top-notch security experts, cryptographers and programmers audit it all (including all libraries as well as compilers), and pay the cost -- and probably still be hit by next heartbleed bug.

score -9 · Answer 6 · answered Nov 15 '12 at 17:45

-9

If you are ever in doubt about any download and are not set up to verify the download and test the install, a reasonably safe alternative is to get the program from CNET. The site says it has been scanned to ensure it is virus and spyware free. Putty is available at http://download.cnet.com/PuTTY/3000-7240_4-10808581.html.

answered Nov 15 '12 at 17:45

rman

1

14

CNET got [a lot of bad press](http://www.theregister.co.uk/2011/12/06/cnet_nmap_toolbar_wrapping_row/) a while back for bundling toolbars, spyware and other junk with legitimate programs like nmap. – Polynomial Nov 15 '12 at 20:49
2

CNET is one of our biggest offenders for drive-by downloads that our AV has to clean up. -1 – oBreak May 20 '15 at 17:55

What reputable site should I download Putty from?

6 Answers6