diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 293cd6f1..ef77eb12 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -82,6 +82,7 @@ if(HALIBUT AND PERL_EXECUTABLE) ${CMAKE_CURRENT_SOURCE_DIR}/pgpkeys.but ${CMAKE_CURRENT_SOURCE_DIR}/sshnames.but ${CMAKE_CURRENT_SOURCE_DIR}/authplugin.but + ${CMAKE_CURRENT_SOURCE_DIR}/privacy.but ${CMAKE_CURRENT_SOURCE_DIR}/index.but ${VERSION_BUT}) diff --git a/doc/privacy.but b/doc/privacy.but new file mode 100644 index 00000000..7f8f4f17 --- /dev/null +++ b/doc/privacy.but @@ -0,0 +1,210 @@ +\A{privacy} PuTTY privacy considerations + +This appendix lists the implications of using PuTTY for your privacy +and personal data. + +The short summary: PuTTY never \q{phones home} to us, the developers. +It does store data on your own computer, and it does transmit data +over the network, but in both cases, only as necessary to do its job. +In particular, data is only transmitted over the network to the server +you told PuTTY to connect to. + +But if you're concerned about exactly \e{what} information is stored +or transmitted, then here's a more detailed description. + +\H{privacy-local}Information that PuTTY stores locally + +When you use PuTTY, it stores a small amount of information on your +computer, necessary for doing its own job. This information is stored +in the user account of the user who runs PuTTY, so it is under your +control: you can view it, change it, or delete it. + +If you need to delete all of this data, you can use the \c{-cleanup} +command-line option, as described in \k{using-cleanup}. + +PuTTY does not transmit your saved session data to any other site. +However, you may need to be aware of the fact that it is stored on +\e{your} computer. (For example, somebody else accessing your computer +might be able to find a list of sites you have connected to, if you +have saved details of them.) + +\H{privacy-hostkeys} Host key cache + +If you use the SSH protocol, then PuTTY stores a list of the SSH +servers you have connected to, together with their host keys. + +This is known as the \q{host key cache}. It is used to detect network +attacks, by notifying you if a server you've connected to before +doesn't look like the same one you thought it was. (See \k{gs-hostkey} +for a basic introduction to host keys.) + +The host key cache is optional. An entry is only saved in the host key +cache if you select the \q{Accept} action at one of the PuTTY suite's +host key verification prompts. So if you want to make an SSH +connection without PuTTY saving any trace of where you connected to, +you can press \q{Connect Once} instead of \q{Accept}, which does not +store the host key in the cache. However, if you do this, PuTTY can't +automatically detect the host key changing in the future, so you +should check the key fingerprint yourself every time you connect. + +The host key cache is only used by SSH. No other protocol supported +by PuTTY has any analogue of it. + +\H{privacy-savedsessions} Saved sessions + +After you set up PuTTY's configuration for a particular network +connection, you can choose to save it as a \q{saved session}, so that +you can make the same connection again later without having to +re-enter all the details. + +PuTTY will not do this unless you use the \q{Save} button in its +configuration box. It never saves session configuration automatically. + +So if you want to make an SSH connection without leaving any trace of +where you connected to, you should not make a saved session for that +connection. Instead, re-enter the details by hand every time you do +it. + +\H{privacy-logfiles} Log files + +PuTTY can be configured to save a log file of your entire session to +the computer you run it on. By default it does not do so: the content +of your session is not saved. + +See \k{config-logging} for details of the logging features. Some +logging modes store only output sent by the server and printed in +PuTTY's terminal window. Other more thorough modes also store your +input that PuTTY sends \e{to} the server. + +If the logging feature is enabled, then by default, PuTTY will avoid +saving data in the log file that it knows to be sensitive, such as +passwords. However, it cannot reliably identify \e{all} passwords. If +you use a password for your initial login to an SSH server, PuTTY +knows that is a password, and will omit it from the log file. But if +after login you type a password into an application on the server, +then PuTTY will not know that \e{that} is a password, so it will +appear in the log file, if PuTTY is writing a type that includes +keyboard input. + +PuTTY can also be configured to include all passwords in its log +files, even the ones it would normally leave out. This is intended for +debugging purposes, for example if a server is refusing your password +and you need to check whether the password is being sent correctly. We +do not recommend enabling this option routinely. + +\H{privacy-randomseed} Random seed file + +PuTTY stores a small file of random bytes under the name +\cq{putty.rnd}, which is reloaded the next time it is run and used to +seed its random number generator. These bytes are meaningless and +random, and do not contain an encrypted version of anything. + +\H{privacy-network} Sending information over the network + +PuTTY is a communications tool. Its \e{purpose} is to connect to +another computer, over a network or a serial port, and send +information. However it only makes the network connections that its +configuration instructs it to. + +\H{privacy-nophonehome} PuTTY only connects to the specified destination host + +No PuTTY tool will \q{phone home} to any site under the control of us +(the development team), or to any other site apart from the +destination host or proxy host in its configuration. + +No information about your network sessions, and no information from +the computer you run PuTTY on, is collected or recorded by the PuTTY +developers. + +Information you provide to PuTTY (via keyboard input, the command +line, or files loaded by the file transfer tools) is sent to the +server that PuTTY's configuration tells it to connect to. It is not +sent anywhere else. + +\H{privacy-whatdata} What data is sent to the destination host + +When you log in to a server, PuTTY will send your username. If you use +a password to authenticate to the server, PuTTY will send it that +password as well. + +(Therefore, the server is told what your password is during login. +This means that if you use the same password on two servers, the +administrator of one could find out your password and log in to your +account on the other.) + +If you use an SSH private key to authenticate, PuTTY will send the +\e{public} key, but not the private key. If you typed a passphrase to +decrypt the private key, PuTTY will not send the passphrase either. + +(Therefore, it is safer to use the same \e{public key} to authenticate +to two SSH servers. Neither server gains the ability to impersonate +you to the other server. However, if the server maintainers talked to +each other, they would at least be able to find out that your accounts +on the two machines were owned by the same person, if they didn't +already know.) + +When PuTTY prompts for a private key passphrase, a small copy of the +PuTTY icon appears to the left of the prompt, to indicate that the +prompt was genuinely from PuTTY. (We call this a \q{trust sigil}.) +That icon never appears next to text sent from the server. So if a +server tries to mimic that prompt to trick you into telling it your +private key passphrase, it won't be able to fake that trust sigil, and +you can tell the difference. + +If you're running Pageant, and you haven't configured a specific +public key to authenticate to this server, then PuTTY will try all the +keys in Pageant one after the other, sending each public key to the +server to see if it's acceptable. This can lead to the server finding +out about other public keys you own. However, if you configure PuTTY +to use a specific public key, then it will ignore all the other keys +in Pageant. + +Once you have logged in, keystrokes you type in the PuTTY terminal +window, and data you paste in with the mouse, are sent to the +destination host. That is PuTTY's primary job. + +The server can request PuTTY to send details of mouse movements in the +terminal window, in order to implement mouse-controlled user +interfaces on the server. If you consider this to be a privacy +intrusion, you can turn off that terminal feature in the Features +configuration panel (\q{Disable xterm-style mouse reporting}, as +described in \k{config-features-mouse}). + +\H{privacy-config} Configuration + +The operation of a PuTTY network tool is controlled by its +configuration. This configuration is obtained from: + +\b the command line used to run the tool + +\b settings configured in the GUI before opening a network session + +\b optionally, the contents of a saved session, if the command line +or a GUI action instructed PuTTY to load one + +\b the special saved session called \q{Default Settings}, which +applies if no other saved session is loaded + +\b defaults built in to PuTTY itself. + +The defaults built in to PuTTY do not tell it to save log files, or +specify the name of any network site to connect to. + +However, if PuTTY has been installed for you by somebody else, such as +an organisation, then that organisation may have provided their own +default configuration. In that situation you may wish to check that +the defaults they have set are compatible with your privacy needs. For +example, an organisation providing your PuTTY configuration might +configure PuTTY to save log files of your sessions, even though +PuTTY's own default is not to do so. + +\H{privacy-modified} Modified versions of PuTTY + +PuTTY is free software. Its source code is available, so anyone can +make a modified version of it. The modified version can behave +differently from the original in any way it likes. + +This list of privacy considerations only applies to the original +version of PuTTY, as distributed by its development team. We cannot +make any promises about the behaviour of modified versions distributed +by other people.