Stories
Slash Boxes
Comments

SoylentNews is people

PuTTY 0.68 Released, Containing ECC, a 64-bit Build, and Security Fixes

posted by on Wednesday February 22 2017, @05:33PM   Printer-friendly
from the no-so-silly-PuTTY dept.

martyb writes:

PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator. A new release of Putty was recently announced — it can be downloaded from the PuTTY latest release page.

From the changelog page:

These features are new in 0.68 (released 2017-02-21):

  • Security fix: an integer overflow bug in the agent forwarding code. See vuln-agent-fwd-overflow.
  • Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory (on versions of Windows where they previously were). See vuln-indirect-dll-hijack.
  • Windows PuTTY no longer sets a restrictive process ACL by default, because this turned out to inconvenience too many legitimate applications such as NVDA and TortoiseGit. You can still manually request a restricted ACL using the command-line option -restrict-acl.
  • The Windows PuTTY tools now come in a 64-bit version.
  • The Windows PuTTY tools now have Windows's ASLR and DEP security features turned on.
  • Support for elliptic-curve cryptography (the NIST curves and 25519), for host keys, user authentication keys, and key exchange.
  • Support for importing and exporting OpenSSH's new private key format.
  • Host key preference policy change: PuTTY prefers host key formats for which it already knows the key.
  • Run-time option (from the system menu / Ctrl-right-click menu) to retrieve other host keys from the same server (which cross-certifies them using the session key established using an already-known key) and add them to the known host-keys database.
  • The Unix GUI PuTTY tools can now be built against GTK 3.
  • There is now a Unix version of Pageant.

When I first started on as staff on SoylentNews, I was running Windows XP and discovered I needed a secure client to gain terminal access to our SoylentNews servers. One of the sysops here suggested PuTTY and guided me in its installation and setup. The UI for this program is, to be kind, different from any other program I have used, yet it seems to be self-consistent in its idiosyncrasies.

Since then, I've moved on to running Windows 7 Pro x64 and have carried over my Putty install. I'll likely install the upgrade in a few days (letting others catch any as-yet unfound bugs) but I am curious what else is out there.

What programs do my fellow Soylentils use for secure terminal access to remote servers from Windows?

[Ed Note - Link from 0.68 fixed. Thanks wonkey_monkey. - Fnord666

Original Submission

 
This discussion has been archived. No new comments can be posted.
PuTTY 0.68 Released, Containing ECC, a 64-bit Build, and Security Fixes | Log In/Create an Account | Top | 39 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Interesting) by bryan on Wednesday February 22 2017, @06:36PM

    by bryan (29) <bryan@pipedot.org> on Wednesday February 22 2017, @06:36PM (#470331) Homepage Journal

    but nobody who downloads a binary has any assurance that they received the binary blob that the developer intended. At least the signature files are finally provided via HTTPS

    First part of that quote doesn't seem to agree with the second. Sending signatures over an insecure medium (like email) was one of the original uses of PGP system, was it not?

    The official page may not use HTTPS, but all the download links and GPG signatures do. If you really prefer HTTPS for everything, you could also try one of the unofficial mirrors [greenend.org.uk], I'm sure some of them have HTTPS set up correctly (although you would then have to trust them as well.)

    Starting Score:    1  point
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 2, Interesting) by Anonymous Coward on Wednesday February 22 2017, @06:58PM

    by Anonymous Coward on Wednesday February 22 2017, @06:58PM (#470349)

    The official page may not use HTTPS, but all the download links and GPG signatures do.

    Well, it's kind of pointless to have HTTPS downloads if the site serving the links is on insecure HTTP, because the man-in-the-middle attacker can simply attack that site and replace all the the links with different ones.

    That being said, HTTPS download mirrors provide very little assurance that you are getting an uncompromised file. It will help against man-in-the-middle attackers, and may improve privacy somewhat. But it does not help against compromised web servers, which happens all the time. Developers pretty much never check their old package tarballs for tampering, even if they might notice tampering on the development repository.

    So that's why you always need GPG signatures for release archives. Fortunately, putty supplies those, so it is possible to securely verify your downloads.

    • (Score: 2, Informative) by Anonymous Coward on Wednesday February 22 2017, @08:38PM

      by Anonymous Coward on Wednesday February 22 2017, @08:38PM (#470410)

      If you automatically trust every link on a site just because that site is served over HTTPS then you deserve whatever happens to you. Otherwise, you always look where a file is coming from before you download it. That's the only thing that matters here.