1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00

Add a docs appendix about privacy considerations.

During the 0.81 release process, I found out that the Windows Store
now requires applications to provide a privacy policy, so I had to
write one in order to get 0.81 into the Store.

This initially seemed like makework (especially having to do it in a
hurry as a prerequisite to get a really important security fix
distributed!). But after I started writing it, I found there was
actually quite a lot to say. It's easy to think "PuTTY doesn't phone
home to the developers, that's all, we're done". But of course it
_does_ store information on your machine (host key cache, saved
sessions, etc). And it does send information to servers on the
network (only the ones you ask it to, but even so). And it's not 100%
obvious in every case what is and isn't stored, and what a privacy-
conscious individual might be revealing about themself by doing this
or that thing.

So I think the web page I hastily put up at the time of the 0.81
release deserves to be promoted into part of the documentation. Here's
a (very lightly) copy-edited version in the form of a docs appendix.

(Once this is committed and built, I expect I'll turn the privacy web
page into a mirror of this docs appendix, in the same way as the
website FAQ and feedback pages.)
This commit is contained in:
Simon Tatham 2024-09-27 10:14:41 +01:00
parent f80955488a
commit b7da41a1a3
2 changed files with 211 additions and 0 deletions

View File

@ -82,6 +82,7 @@ if(HALIBUT AND PERL_EXECUTABLE)
${CMAKE_CURRENT_SOURCE_DIR}/pgpkeys.but ${CMAKE_CURRENT_SOURCE_DIR}/pgpkeys.but
${CMAKE_CURRENT_SOURCE_DIR}/sshnames.but ${CMAKE_CURRENT_SOURCE_DIR}/sshnames.but
${CMAKE_CURRENT_SOURCE_DIR}/authplugin.but ${CMAKE_CURRENT_SOURCE_DIR}/authplugin.but
${CMAKE_CURRENT_SOURCE_DIR}/privacy.but
${CMAKE_CURRENT_SOURCE_DIR}/index.but ${CMAKE_CURRENT_SOURCE_DIR}/index.but
${VERSION_BUT}) ${VERSION_BUT})

210
doc/privacy.but Normal file
View File

@ -0,0 +1,210 @@
\A{privacy} PuTTY privacy considerations
This appendix lists the implications of using PuTTY for your privacy
and personal data.
The short summary: PuTTY never \q{phones home} to us, the developers.
It does store data on your own computer, and it does transmit data
over the network, but in both cases, only as necessary to do its job.
In particular, data is only transmitted over the network to the server
you told PuTTY to connect to.
But if you're concerned about exactly \e{what} information is stored
or transmitted, then here's a more detailed description.
\H{privacy-local}Information that PuTTY stores locally
When you use PuTTY, it stores a small amount of information on your
computer, necessary for doing its own job. This information is stored
in the user account of the user who runs PuTTY, so it is under your
control: you can view it, change it, or delete it.
If you need to delete all of this data, you can use the \c{-cleanup}
command-line option, as described in \k{using-cleanup}.
PuTTY does not transmit your saved session data to any other site.
However, you may need to be aware of the fact that it is stored on
\e{your} computer. (For example, somebody else accessing your computer
might be able to find a list of sites you have connected to, if you
have saved details of them.)
\H{privacy-hostkeys} Host key cache
If you use the SSH protocol, then PuTTY stores a list of the SSH
servers you have connected to, together with their host keys.
This is known as the \q{host key cache}. It is used to detect network
attacks, by notifying you if a server you've connected to before
doesn't look like the same one you thought it was. (See \k{gs-hostkey}
for a basic introduction to host keys.)
The host key cache is optional. An entry is only saved in the host key
cache if you select the \q{Accept} action at one of the PuTTY suite's
host key verification prompts. So if you want to make an SSH
connection without PuTTY saving any trace of where you connected to,
you can press \q{Connect Once} instead of \q{Accept}, which does not
store the host key in the cache. However, if you do this, PuTTY can't
automatically detect the host key changing in the future, so you
should check the key fingerprint yourself every time you connect.
The host key cache is only used by SSH. No other protocol supported
by PuTTY has any analogue of it.
\H{privacy-savedsessions} Saved sessions
After you set up PuTTY's configuration for a particular network
connection, you can choose to save it as a \q{saved session}, so that
you can make the same connection again later without having to
re-enter all the details.
PuTTY will not do this unless you use the \q{Save} button in its
configuration box. It never saves session configuration automatically.
So if you want to make an SSH connection without leaving any trace of
where you connected to, you should not make a saved session for that
connection. Instead, re-enter the details by hand every time you do
it.
\H{privacy-logfiles} Log files
PuTTY can be configured to save a log file of your entire session to
the computer you run it on. By default it does not do so: the content
of your session is not saved.
See \k{config-logging} for details of the logging features. Some
logging modes store only output sent by the server and printed in
PuTTY's terminal window. Other more thorough modes also store your
input that PuTTY sends \e{to} the server.
If the logging feature is enabled, then by default, PuTTY will avoid
saving data in the log file that it knows to be sensitive, such as
passwords. However, it cannot reliably identify \e{all} passwords. If
you use a password for your initial login to an SSH server, PuTTY
knows that is a password, and will omit it from the log file. But if
after login you type a password into an application on the server,
then PuTTY will not know that \e{that} is a password, so it will
appear in the log file, if PuTTY is writing a type that includes
keyboard input.
PuTTY can also be configured to include all passwords in its log
files, even the ones it would normally leave out. This is intended for
debugging purposes, for example if a server is refusing your password
and you need to check whether the password is being sent correctly. We
do not recommend enabling this option routinely.
\H{privacy-randomseed} Random seed file
PuTTY stores a small file of random bytes under the name
\cq{putty.rnd}, which is reloaded the next time it is run and used to
seed its random number generator. These bytes are meaningless and
random, and do not contain an encrypted version of anything.
\H{privacy-network} Sending information over the network
PuTTY is a communications tool. Its \e{purpose} is to connect to
another computer, over a network or a serial port, and send
information. However it only makes the network connections that its
configuration instructs it to.
\H{privacy-nophonehome} PuTTY only connects to the specified destination host
No PuTTY tool will \q{phone home} to any site under the control of us
(the development team), or to any other site apart from the
destination host or proxy host in its configuration.
No information about your network sessions, and no information from
the computer you run PuTTY on, is collected or recorded by the PuTTY
developers.
Information you provide to PuTTY (via keyboard input, the command
line, or files loaded by the file transfer tools) is sent to the
server that PuTTY's configuration tells it to connect to. It is not
sent anywhere else.
\H{privacy-whatdata} What data is sent to the destination host
When you log in to a server, PuTTY will send your username. If you use
a password to authenticate to the server, PuTTY will send it that
password as well.
(Therefore, the server is told what your password is during login.
This means that if you use the same password on two servers, the
administrator of one could find out your password and log in to your
account on the other.)
If you use an SSH private key to authenticate, PuTTY will send the
\e{public} key, but not the private key. If you typed a passphrase to
decrypt the private key, PuTTY will not send the passphrase either.
(Therefore, it is safer to use the same \e{public key} to authenticate
to two SSH servers. Neither server gains the ability to impersonate
you to the other server. However, if the server maintainers talked to
each other, they would at least be able to find out that your accounts
on the two machines were owned by the same person, if they didn't
already know.)
When PuTTY prompts for a private key passphrase, a small copy of the
PuTTY icon appears to the left of the prompt, to indicate that the
prompt was genuinely from PuTTY. (We call this a \q{trust sigil}.)
That icon never appears next to text sent from the server. So if a
server tries to mimic that prompt to trick you into telling it your
private key passphrase, it won't be able to fake that trust sigil, and
you can tell the difference.
If you're running Pageant, and you haven't configured a specific
public key to authenticate to this server, then PuTTY will try all the
keys in Pageant one after the other, sending each public key to the
server to see if it's acceptable. This can lead to the server finding
out about other public keys you own. However, if you configure PuTTY
to use a specific public key, then it will ignore all the other keys
in Pageant.
Once you have logged in, keystrokes you type in the PuTTY terminal
window, and data you paste in with the mouse, are sent to the
destination host. That is PuTTY's primary job.
The server can request PuTTY to send details of mouse movements in the
terminal window, in order to implement mouse-controlled user
interfaces on the server. If you consider this to be a privacy
intrusion, you can turn off that terminal feature in the Features
configuration panel (\q{Disable xterm-style mouse reporting}, as
described in \k{config-features-mouse}).
\H{privacy-config} Configuration
The operation of a PuTTY network tool is controlled by its
configuration. This configuration is obtained from:
\b the command line used to run the tool
\b settings configured in the GUI before opening a network session
\b optionally, the contents of a saved session, if the command line
or a GUI action instructed PuTTY to load one
\b the special saved session called \q{Default Settings}, which
applies if no other saved session is loaded
\b defaults built in to PuTTY itself.
The defaults built in to PuTTY do not tell it to save log files, or
specify the name of any network site to connect to.
However, if PuTTY has been installed for you by somebody else, such as
an organisation, then that organisation may have provided their own
default configuration. In that situation you may wish to check that
the defaults they have set are compatible with your privacy needs. For
example, an organisation providing your PuTTY configuration might
configure PuTTY to save log files of your sessions, even though
PuTTY's own default is not to do so.
\H{privacy-modified} Modified versions of PuTTY
PuTTY is free software. Its source code is available, so anyone can
make a modified version of it. The modified version can behave
differently from the original in any way it likes.
This list of privacy considerations only applies to the original
version of PuTTY, as distributed by its development team. We cannot
make any promises about the behaviour of modified versions distributed
by other people.