Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Is this version of PuTTY legit? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is this version of PuTTY legit?

Write in from Andy (thanks Andy!) asking today if http://putty.very.rulez.org/ is a legit site to download putty (the popular tool to connect from a Windows box to Unix boxes via Telnet/SSH, etc.).

How did Andy find this site you ask?  Well, if you go to Google and type in "Putty" you'll notice that the above URL is SEO'ed ABOVE the actual putty.org website.

So far, when I downloaded both versions (from the above site, and from putty.org) the md5's match up, so right now, they are legit copies.  I'm not accusing rulez.org of doing anything inappropriate, don't get that impression.  I'm just using an abundance of caution, heck, they may be a legit mirror.  But as far as I can tell, they aren't on the authorized mirrors list, found here.

So, we prefer that you get your PuTTY downloads from the correct site.  Putty.org.  Which, if you click on the download link, it will redirect you to here.

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Which is the actual download link.  

Thanks Andy for writing in and staying vigilant about watching those URL's!

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 

Joel

454 Posts
ISC Handler
The correct site has the following posting:

2010-05-17 Google listing confusion

Several users have pointed out to us recently that the top Google hit for "putty" is now not the official PuTTY site but a mirror that used to be listed on our Mirrors page.

The official PuTTY web page is still where it has always been:

http://www.chiark.greenend.org.uk/~sgtatham/putty/
Anonymous
Just to keep in mind, the matching of the MD5 of those files doesn't mean that they are the same tool...
vmforno

8 Posts
@vmforno - are MD5s that easily duplicated?
michael

1 Posts
It depends on the file type. The first MD5 collision was created by adding "junk bits" to a PDF file in places where the Reader didn't crash on them. If you could similarly pad a binary file and still have it do something, yes it could be that simple. The only real solution I know of is to compute two hashes for each file, like MD5 and SHA-1. So far it's impossible to pad a file so that collisions occur in both hash algorithms. Tripwire has had the option to check each file for both MD5 and SHA-1 for quite awhile to combat this.
Anonymous
So has anyone decided to report this to google yet? I just did. SEO's and google bombing are tools of the devil, as proven today.
Anonymous
So has anyone decided to report this to google yet? I just did. SEO's and google bombing are tools of the devil, as proven today.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!