From b7da41a1a3b5e3595b7d3be0f7116c2f74e80d98 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Fri, 27 Sep 2024 10:14:41 +0100 Subject: [PATCH] Add a docs appendix about privacy considerations. During the 0.81 release process, I found out that the Windows Store now requires applications to provide a privacy policy, so I had to write one in order to get 0.81 into the Store. This initially seemed like makework (especially having to do it in a hurry as a prerequisite to get a really important security fix distributed!). But after I started writing it, I found there was actually quite a lot to say. It's easy to think "PuTTY doesn't phone home to the developers, that's all, we're done". But of course it _does_ store information on your machine (host key cache, saved sessions, etc). And it does send information to servers on the network (only the ones you ask it to, but even so). And it's not 100% obvious in every case what is and isn't stored, and what a privacy- conscious individual might be revealing about themself by doing this or that thing. So I think the web page I hastily put up at the time of the 0.81 release deserves to be promoted into part of the documentation. Here's a (very lightly) copy-edited version in the form of a docs appendix. (Once this is committed and built, I expect I'll turn the privacy web page into a mirror of this docs appendix, in the same way as the website FAQ and feedback pages.) --- doc/CMakeLists.txt | 1 + doc/privacy.but | 210 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+) create mode 100644 doc/privacy.but diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 293cd6f1..ef77eb12 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -82,6 +82,7 @@ if(HALIBUT AND PERL_EXECUTABLE) ${CMAKE_CURRENT_SOURCE_DIR}/pgpkeys.but ${CMAKE_CURRENT_SOURCE_DIR}/sshnames.but ${CMAKE_CURRENT_SOURCE_DIR}/authplugin.but + ${CMAKE_CURRENT_SOURCE_DIR}/privacy.but ${CMAKE_CURRENT_SOURCE_DIR}/index.but ${VERSION_BUT}) diff --git a/doc/privacy.but b/doc/privacy.but new file mode 100644 index 00000000..7f8f4f17 --- /dev/null +++ b/doc/privacy.but @@ -0,0 +1,210 @@ +\A{privacy} PuTTY privacy considerations + +This appendix lists the implications of using PuTTY for your privacy +and personal data. + +The short summary: PuTTY never \q{phones home} to us, the developers. +It does store data on your own computer, and it does transmit data +over the network, but in both cases, only as necessary to do its job. +In particular, data is only transmitted over the network to the server +you told PuTTY to connect to. + +But if you're concerned about exactly \e{what} information is stored +or transmitted, then here's a more detailed description. + +\H{privacy-local}Information that PuTTY stores locally + +When you use PuTTY, it stores a small amount of information on your +computer, necessary for doing its own job. This information is stored +in the user account of the user who runs PuTTY, so it is under your +control: you can view it, change it, or delete it. + +If you need to delete all of this data, you can use the \c{-cleanup} +command-line option, as described in \k{using-cleanup}. + +PuTTY does not transmit your saved session data to any other site. +However, you may need to be aware of the fact that it is stored on +\e{your} computer. (For example, somebody else accessing your computer +might be able to find a list of sites you have connected to, if you +have saved details of them.) + +\H{privacy-hostkeys} Host key cache + +If you use the SSH protocol, then PuTTY stores a list of the SSH +servers you have connected to, together with their host keys. + +This is known as the \q{host key cache}. It is used to detect network +attacks, by notifying you if a server you've connected to before +doesn't look like the same one you thought it was. (See \k{gs-hostkey} +for a basic introduction to host keys.) + +The host key cache is optional. An entry is only saved in the host key +cache if you select the \q{Accept} action at one of the PuTTY suite's +host key verification prompts. So if you want to make an SSH +connection without PuTTY saving any trace of where you connected to, +you can press \q{Connect Once} instead of \q{Accept}, which does not +store the host key in the cache. However, if you do this, PuTTY can't +automatically detect the host key changing in the future, so you +should check the key fingerprint yourself every time you connect. + +The host key cache is only used by SSH. No other protocol supported +by PuTTY has any analogue of it. + +\H{privacy-savedsessions} Saved sessions + +After you set up PuTTY's configuration for a particular network +connection, you can choose to save it as a \q{saved session}, so that +you can make the same connection again later without having to +re-enter all the details. + +PuTTY will not do this unless you use the \q{Save} button in its +configuration box. It never saves session configuration automatically. + +So if you want to make an SSH connection without leaving any trace of +where you connected to, you should not make a saved session for that +connection. Instead, re-enter the details by hand every time you do +it. + +\H{privacy-logfiles} Log files + +PuTTY can be configured to save a log file of your entire session to +the computer you run it on. By default it does not do so: the content +of your session is not saved. + +See \k{config-logging} for details of the logging features. Some +logging modes store only output sent by the server and printed in +PuTTY's terminal window. Other more thorough modes also store your +input that PuTTY sends \e{to} the server. + +If the logging feature is enabled, then by default, PuTTY will avoid +saving data in the log file that it knows to be sensitive, such as +passwords. However, it cannot reliably identify \e{all} passwords. If +you use a password for your initial login to an SSH server, PuTTY +knows that is a password, and will omit it from the log file. But if +after login you type a password into an application on the server, +then PuTTY will not know that \e{that} is a password, so it will +appear in the log file, if PuTTY is writing a type that includes +keyboard input. + +PuTTY can also be configured to include all passwords in its log +files, even the ones it would normally leave out. This is intended for +debugging purposes, for example if a server is refusing your password +and you need to check whether the password is being sent correctly. We +do not recommend enabling this option routinely. + +\H{privacy-randomseed} Random seed file + +PuTTY stores a small file of random bytes under the name +\cq{putty.rnd}, which is reloaded the next time it is run and used to +seed its random number generator. These bytes are meaningless and +random, and do not contain an encrypted version of anything. + +\H{privacy-network} Sending information over the network + +PuTTY is a communications tool. Its \e{purpose} is to connect to +another computer, over a network or a serial port, and send +information. However it only makes the network connections that its +configuration instructs it to. + +\H{privacy-nophonehome} PuTTY only connects to the specified destination host + +No PuTTY tool will \q{phone home} to any site under the control of us +(the development team), or to any other site apart from the +destination host or proxy host in its configuration. + +No information about your network sessions, and no information from +the computer you run PuTTY on, is collected or recorded by the PuTTY +developers. + +Information you provide to PuTTY (via keyboard input, the command +line, or files loaded by the file transfer tools) is sent to the +server that PuTTY's configuration tells it to connect to. It is not +sent anywhere else. + +\H{privacy-whatdata} What data is sent to the destination host + +When you log in to a server, PuTTY will send your username. If you use +a password to authenticate to the server, PuTTY will send it that +password as well. + +(Therefore, the server is told what your password is during login. +This means that if you use the same password on two servers, the +administrator of one could find out your password and log in to your +account on the other.) + +If you use an SSH private key to authenticate, PuTTY will send the +\e{public} key, but not the private key. If you typed a passphrase to +decrypt the private key, PuTTY will not send the passphrase either. + +(Therefore, it is safer to use the same \e{public key} to authenticate +to two SSH servers. Neither server gains the ability to impersonate +you to the other server. However, if the server maintainers talked to +each other, they would at least be able to find out that your accounts +on the two machines were owned by the same person, if they didn't +already know.) + +When PuTTY prompts for a private key passphrase, a small copy of the +PuTTY icon appears to the left of the prompt, to indicate that the +prompt was genuinely from PuTTY. (We call this a \q{trust sigil}.) +That icon never appears next to text sent from the server. So if a +server tries to mimic that prompt to trick you into telling it your +private key passphrase, it won't be able to fake that trust sigil, and +you can tell the difference. + +If you're running Pageant, and you haven't configured a specific +public key to authenticate to this server, then PuTTY will try all the +keys in Pageant one after the other, sending each public key to the +server to see if it's acceptable. This can lead to the server finding +out about other public keys you own. However, if you configure PuTTY +to use a specific public key, then it will ignore all the other keys +in Pageant. + +Once you have logged in, keystrokes you type in the PuTTY terminal +window, and data you paste in with the mouse, are sent to the +destination host. That is PuTTY's primary job. + +The server can request PuTTY to send details of mouse movements in the +terminal window, in order to implement mouse-controlled user +interfaces on the server. If you consider this to be a privacy +intrusion, you can turn off that terminal feature in the Features +configuration panel (\q{Disable xterm-style mouse reporting}, as +described in \k{config-features-mouse}). + +\H{privacy-config} Configuration + +The operation of a PuTTY network tool is controlled by its +configuration. This configuration is obtained from: + +\b the command line used to run the tool + +\b settings configured in the GUI before opening a network session + +\b optionally, the contents of a saved session, if the command line +or a GUI action instructed PuTTY to load one + +\b the special saved session called \q{Default Settings}, which +applies if no other saved session is loaded + +\b defaults built in to PuTTY itself. + +The defaults built in to PuTTY do not tell it to save log files, or +specify the name of any network site to connect to. + +However, if PuTTY has been installed for you by somebody else, such as +an organisation, then that organisation may have provided their own +default configuration. In that situation you may wish to check that +the defaults they have set are compatible with your privacy needs. For +example, an organisation providing your PuTTY configuration might +configure PuTTY to save log files of your sessions, even though +PuTTY's own default is not to do so. + +\H{privacy-modified} Modified versions of PuTTY + +PuTTY is free software. Its source code is available, so anyone can +make a modified version of it. The modified version can behave +differently from the original in any way it likes. + +This list of privacy considerations only applies to the original +version of PuTTY, as distributed by its development team. We cannot +make any promises about the behaviour of modified versions distributed +by other people.