[dublinben]

>we're all harping on javascript when you can't download PuTTY over an SSL connection

This shouldn't matter, and would just provide a false sense of security. You ought to be verifying the signature of any program you're installing before you use it. Since you're running Windows the point is probably moot, but it is possible to install software reasonably securely.

[jimktrains2]

But those sigs are also coming over a non-ssl connection:-p

Honestly, whenever you download anything, evne over SSL, you're essentially trusting that the remote computer is not only who you think the computer is, but the person you expect to be controlling it is the only person controlling it.

Out-of-band communication built out-of in-person trust are really the only way around that (i.e. trusting someone who trusts the PuTTY devs and gets you the hash/sig).

[dublinben]

You only need to trust their signature to really be sure. That's why the Web of Trust aspect of PGP/GPG is so important. It's probably more valuable than the ability to encrypt a few emails.

[schoen]

It doesn't seem that PuTTY has made very effective use of this or managed to explain the problem to most of their users.

http://noncombatant.org/2014/03/03/downloading-software-safe... http://noncombatant.org/2014/03/05/followup-to-downloading-s...