[vog]

Indeed. I would really love to recommend Keepass, but their website is really ugly and makes the impression of a non-polished software - even though Keepass is absolute mature and fine.

On the other hand, the PuTTY website is also everything but polished, but people have always been using it. Also, I suspect that most people will get it through the third-party site "www.putty.org" instead of the real PuTTY website, whose URL is as complicated as: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.h...

[trimbo]

> their website is really ugly

I don't think it's ugly -- just dated. Isn't it weird that mentally we trust software less if they have a dated website? Shouldn't it be the opposite? (As in: a dated website means this software is mature and tested?)

[funkymike]

The problem with dated websites is that they have the appearance of being thrown on the web in 10 minutes and forgotten about rather than being mature and tested.

If the software is well supported and maintained than the website should be too.

[saint_fiasco]

It could also mean the software is abandoned and hasn't received security updates in a long time.

[CriminallyInane]

Isn't the mentality more to do with insecure sites having dated websites with misleading links etc. Unless its a known company a dated/poor website often flags warnings for me about security, support for the product and more.

[ocdtrekkie]

You know what always gets me: PuTTY's website isn't served over HTTPS. That software everyone downloads to type all their firewall and router credentials into... is from a website not served over HTTPS. I see the download and signature links are, but if I could have this non-HTTPS website offer up different links to your web browser...

[rb12345]

The downloads are all GPG-signed, so that shouldn't be an issue. You have the issue of the initial trust, but that applies to HTTPS too to a lesser extent.

[ocdtrekkie]

How many people do you think download the application, then check the signature? Additionally, if you can spoof the download link on this HTTP page, you can also spoof the signature link, and provide a fake signature matching your malicious package.

[rb12345]

Frankly, about the same number of people as the number checking the HTTPS certificates are as expected. GPG does have the advantage though that once the public key is known and trusted, the package can't be tampered with on the server. (Authenticode might also work, but then you're back to trusting all the CAs that Windows does.)

[Redoubts]

Heh, it doesn't even look half bad if you drop the bettermotherfuckingwebsite css on it.