mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
211 lines
9.3 KiB
Plaintext
211 lines
9.3 KiB
Plaintext
|
\A{privacy} PuTTY privacy considerations
|
||
|
|
||
|
This appendix lists the implications of using PuTTY for your privacy
|
||
|
and personal data.
|
||
|
|
||
|
The short summary: PuTTY never \q{phones home} to us, the developers.
|
||
|
It does store data on your own computer, and it does transmit data
|
||
|
over the network, but in both cases, only as necessary to do its job.
|
||
|
In particular, data is only transmitted over the network to the server
|
||
|
you told PuTTY to connect to.
|
||
|
|
||
|
But if you're concerned about exactly \e{what} information is stored
|
||
|
or transmitted, then here's a more detailed description.
|
||
|
|
||
|
\H{privacy-local}Information that PuTTY stores locally
|
||
|
|
||
|
When you use PuTTY, it stores a small amount of information on your
|
||
|
computer, necessary for doing its own job. This information is stored
|
||
|
in the user account of the user who runs PuTTY, so it is under your
|
||
|
control: you can view it, change it, or delete it.
|
||
|
|
||
|
If you need to delete all of this data, you can use the \c{-cleanup}
|
||
|
command-line option, as described in \k{using-cleanup}.
|
||
|
|
||
|
PuTTY does not transmit your saved session data to any other site.
|
||
|
However, you may need to be aware of the fact that it is stored on
|
||
|
\e{your} computer. (For example, somebody else accessing your computer
|
||
|
might be able to find a list of sites you have connected to, if you
|
||
|
have saved details of them.)
|
||
|
|
||
|
\H{privacy-hostkeys} Host key cache
|
||
|
|
||
|
If you use the SSH protocol, then PuTTY stores a list of the SSH
|
||
|
servers you have connected to, together with their host keys.
|
||
|
|
||
|
This is known as the \q{host key cache}. It is used to detect network
|
||
|
attacks, by notifying you if a server you've connected to before
|
||
|
doesn't look like the same one you thought it was. (See \k{gs-hostkey}
|
||
|
for a basic introduction to host keys.)
|
||
|
|
||
|
The host key cache is optional. An entry is only saved in the host key
|
||
|
cache if you select the \q{Accept} action at one of the PuTTY suite's
|
||
|
host key verification prompts. So if you want to make an SSH
|
||
|
connection without PuTTY saving any trace of where you connected to,
|
||
|
you can press \q{Connect Once} instead of \q{Accept}, which does not
|
||
|
store the host key in the cache. However, if you do this, PuTTY can't
|
||
|
automatically detect the host key changing in the future, so you
|
||
|
should check the key fingerprint yourself every time you connect.
|
||
|
|
||
|
The host key cache is only used by SSH. No other protocol supported
|
||
|
by PuTTY has any analogue of it.
|
||
|
|
||
|
\H{privacy-savedsessions} Saved sessions
|
||
|
|
||
|
After you set up PuTTY's configuration for a particular network
|
||
|
connection, you can choose to save it as a \q{saved session}, so that
|
||
|
you can make the same connection again later without having to
|
||
|
re-enter all the details.
|
||
|
|
||
|
PuTTY will not do this unless you use the \q{Save} button in its
|
||
|
configuration box. It never saves session configuration automatically.
|
||
|
|
||
|
So if you want to make an SSH connection without leaving any trace of
|
||
|
where you connected to, you should not make a saved session for that
|
||
|
connection. Instead, re-enter the details by hand every time you do
|
||
|
it.
|
||
|
|
||
|
\H{privacy-logfiles} Log files
|
||
|
|
||
|
PuTTY can be configured to save a log file of your entire session to
|
||
|
the computer you run it on. By default it does not do so: the content
|
||
|
of your session is not saved.
|
||
|
|
||
|
See \k{config-logging} for details of the logging features. Some
|
||
|
logging modes store only output sent by the server and printed in
|
||
|
PuTTY's terminal window. Other more thorough modes also store your
|
||
|
input that PuTTY sends \e{to} the server.
|
||
|
|
||
|
If the logging feature is enabled, then by default, PuTTY will avoid
|
||
|
saving data in the log file that it knows to be sensitive, such as
|
||
|
passwords. However, it cannot reliably identify \e{all} passwords. If
|
||
|
you use a password for your initial login to an SSH server, PuTTY
|
||
|
knows that is a password, and will omit it from the log file. But if
|
||
|
after login you type a password into an application on the server,
|
||
|
then PuTTY will not know that \e{that} is a password, so it will
|
||
|
appear in the log file, if PuTTY is writing a type that includes
|
||
|
keyboard input.
|
||
|
|
||
|
PuTTY can also be configured to include all passwords in its log
|
||
|
files, even the ones it would normally leave out. This is intended for
|
||
|
debugging purposes, for example if a server is refusing your password
|
||
|
and you need to check whether the password is being sent correctly. We
|
||
|
do not recommend enabling this option routinely.
|
||
|
|
||
|
\H{privacy-randomseed} Random seed file
|
||
|
|
||
|
PuTTY stores a small file of random bytes under the name
|
||
|
\cq{putty.rnd}, which is reloaded the next time it is run and used to
|
||
|
seed its random number generator. These bytes are meaningless and
|
||
|
random, and do not contain an encrypted version of anything.
|
||
|
|
||
|
\H{privacy-network} Sending information over the network
|
||
|
|
||
|
PuTTY is a communications tool. Its \e{purpose} is to connect to
|
||
|
another computer, over a network or a serial port, and send
|
||
|
information. However it only makes the network connections that its
|
||
|
configuration instructs it to.
|
||
|
|
||
|
\H{privacy-nophonehome} PuTTY only connects to the specified destination host
|
||
|
|
||
|
No PuTTY tool will \q{phone home} to any site under the control of us
|
||
|
(the development team), or to any other site apart from the
|
||
|
destination host or proxy host in its configuration.
|
||
|
|
||
|
No information about your network sessions, and no information from
|
||
|
the computer you run PuTTY on, is collected or recorded by the PuTTY
|
||
|
developers.
|
||
|
|
||
|
Information you provide to PuTTY (via keyboard input, the command
|
||
|
line, or files loaded by the file transfer tools) is sent to the
|
||
|
server that PuTTY's configuration tells it to connect to. It is not
|
||
|
sent anywhere else.
|
||
|
|
||
|
\H{privacy-whatdata} What data is sent to the destination host
|
||
|
|
||
|
When you log in to a server, PuTTY will send your username. If you use
|
||
|
a password to authenticate to the server, PuTTY will send it that
|
||
|
password as well.
|
||
|
|
||
|
(Therefore, the server is told what your password is during login.
|
||
|
This means that if you use the same password on two servers, the
|
||
|
administrator of one could find out your password and log in to your
|
||
|
account on the other.)
|
||
|
|
||
|
If you use an SSH private key to authenticate, PuTTY will send the
|
||
|
\e{public} key, but not the private key. If you typed a passphrase to
|
||
|
decrypt the private key, PuTTY will not send the passphrase either.
|
||
|
|
||
|
(Therefore, it is safer to use the same \e{public key} to authenticate
|
||
|
to two SSH servers. Neither server gains the ability to impersonate
|
||
|
you to the other server. However, if the server maintainers talked to
|
||
|
each other, they would at least be able to find out that your accounts
|
||
|
on the two machines were owned by the same person, if they didn't
|
||
|
already know.)
|
||
|
|
||
|
When PuTTY prompts for a private key passphrase, a small copy of the
|
||
|
PuTTY icon appears to the left of the prompt, to indicate that the
|
||
|
prompt was genuinely from PuTTY. (We call this a \q{trust sigil}.)
|
||
|
That icon never appears next to text sent from the server. So if a
|
||
|
server tries to mimic that prompt to trick you into telling it your
|
||
|
private key passphrase, it won't be able to fake that trust sigil, and
|
||
|
you can tell the difference.
|
||
|
|
||
|
If you're running Pageant, and you haven't configured a specific
|
||
|
public key to authenticate to this server, then PuTTY will try all the
|
||
|
keys in Pageant one after the other, sending each public key to the
|
||
|
server to see if it's acceptable. This can lead to the server finding
|
||
|
out about other public keys you own. However, if you configure PuTTY
|
||
|
to use a specific public key, then it will ignore all the other keys
|
||
|
in Pageant.
|
||
|
|
||
|
Once you have logged in, keystrokes you type in the PuTTY terminal
|
||
|
window, and data you paste in with the mouse, are sent to the
|
||
|
destination host. That is PuTTY's primary job.
|
||
|
|
||
|
The server can request PuTTY to send details of mouse movements in the
|
||
|
terminal window, in order to implement mouse-controlled user
|
||
|
interfaces on the server. If you consider this to be a privacy
|
||
|
intrusion, you can turn off that terminal feature in the Features
|
||
|
configuration panel (\q{Disable xterm-style mouse reporting}, as
|
||
|
described in \k{config-features-mouse}).
|
||
|
|
||
|
\H{privacy-config} Configuration
|
||
|
|
||
|
The operation of a PuTTY network tool is controlled by its
|
||
|
configuration. This configuration is obtained from:
|
||
|
|
||
|
\b the command line used to run the tool
|
||
|
|
||
|
\b settings configured in the GUI before opening a network session
|
||
|
|
||
|
\b optionally, the contents of a saved session, if the command line
|
||
|
or a GUI action instructed PuTTY to load one
|
||
|
|
||
|
\b the special saved session called \q{Default Settings}, which
|
||
|
applies if no other saved session is loaded
|
||
|
|
||
|
\b defaults built in to PuTTY itself.
|
||
|
|
||
|
The defaults built in to PuTTY do not tell it to save log files, or
|
||
|
specify the name of any network site to connect to.
|
||
|
|
||
|
However, if PuTTY has been installed for you by somebody else, such as
|
||
|
an organisation, then that organisation may have provided their own
|
||
|
default configuration. In that situation you may wish to check that
|
||
|
the defaults they have set are compatible with your privacy needs. For
|
||
|
example, an organisation providing your PuTTY configuration might
|
||
|
configure PuTTY to save log files of your sessions, even though
|
||
|
PuTTY's own default is not to do so.
|
||
|
|
||
|
\H{privacy-modified} Modified versions of PuTTY
|
||
|
|
||
|
PuTTY is free software. Its source code is available, so anyone can
|
||
|
make a modified version of it. The modified version can behave
|
||
|
differently from the original in any way it likes.
|
||
|
|
||
|
This list of privacy considerations only applies to the original
|
||
|
version of PuTTY, as distributed by its development team. We cannot
|
||
|
make any promises about the behaviour of modified versions distributed
|
||
|
by other people.
|