Is this version of PuTTY legit?

Published: 2010-05-20
Last Updated: 2010-05-20 18:07:56 UTC
by Joel Esler (Version: 2)
6 comment(s)

Write in from Andy (thanks Andy!) asking today if http://putty.very.rulez.org/ is a legit site to download putty (the popular tool to connect from a Windows box to Unix boxes via Telnet/SSH, etc.).

How did Andy find this site you ask?  Well, if you go to Google and type in "Putty" you'll notice that the above URL is SEO'ed ABOVE the actual putty.org website.

So far, when I downloaded both versions (from the above site, and from putty.org) the md5's match up, so right now, they are legit copies.  I'm not accusing rulez.org of doing anything inappropriate, don't get that impression.  I'm just using an abundance of caution, heck, they may be a legit mirror.  But as far as I can tell, they aren't on the authorized mirrors list, found here.

So, we prefer that you get your PuTTY downloads from the correct site.  Putty.org.  Which, if you click on the download link, it will redirect you to here.

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Which is the actual download link.  

Thanks Andy for writing in and staying vigilant about watching those URL's!

UPDATE: A write in reminds us that using gpg to verify the packages is preferred.  I agree.

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 

Keywords:
6 comment(s)

Comments

The correct site has the following posting:

2010-05-17 Google listing confusion

Several users have pointed out to us recently that the top Google hit for "putty" is now not the official PuTTY site but a mirror that used to be listed on our Mirrors page.

The official PuTTY web page is still where it has always been:

http://www.chiark.greenend.org.uk/~sgtatham/putty/
Just to keep in mind, the matching of the MD5 of those files doesn't mean that they are the same tool...
@vmforno - are MD5s that easily duplicated?
It depends on the file type. The first MD5 collision was created by adding "junk bits" to a PDF file in places where the Reader didn't crash on them. If you could similarly pad a binary file and still have it do something, yes it could be that simple. The only real solution I know of is to compute two hashes for each file, like MD5 and SHA-1. So far it's impossible to pad a file so that collisions occur in both hash algorithms. Tripwire has had the option to check each file for both MD5 and SHA-1 for quite awhile to combat this.
So has anyone decided to report this to google yet? I just did. SEO's and google bombing are tools of the devil, as proven today.
So has anyone decided to report this to google yet? I just did. SEO's and google bombing are tools of the devil, as proven today.

Diary Archives