mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
28a5d72a18
Literally speaking, it's not true that PuTTY only connects to the server you told it to. It typically has to connect to a DNS server first to find out where that server _is_. (If you've provided a hostname, and if that hostname isn't in /etc/hosts or equivalent.) Of course, if you're concerned about people _in your organisation's network_ finding out where you've been connecting to, you have bigger problems, because whether you did a DNS lookup or not they can certainly see your IP-layer headers. But that really is outside the scope of this document. I only mention DNS out of pedantry, because not doing so made "does not connect to any other site" technically inaccurate. (Perhaps even: only inaccurate if the DNS lookup happens over TCP :-)
247 lines
11 KiB
Plaintext
247 lines
11 KiB
Plaintext
\A{privacy} PuTTY privacy considerations
|
|
|
|
This appendix lists the implications of using PuTTY for your privacy
|
|
and personal data.
|
|
|
|
The short summary: PuTTY never \q{phones home} to us, the developers.
|
|
It does store data on your own computer, and it does transmit data
|
|
over the network, but in both cases, only as necessary to do its job.
|
|
In particular, data is only transmitted over the network to the server
|
|
you told PuTTY to connect to.
|
|
|
|
But if you're concerned about exactly \e{what} information is stored
|
|
or transmitted, then here's a more detailed description.
|
|
|
|
\H{privacy-local}Information that PuTTY stores locally
|
|
|
|
When you use PuTTY, it stores a small amount of information on your
|
|
computer, necessary for doing its own job. This information is stored
|
|
in the user account of the user who runs PuTTY, so it is under your
|
|
control: you can view it, change it, or delete it.
|
|
|
|
If you need to delete all of this data, you can use the \c{-cleanup}
|
|
command-line option, as described in \k{using-cleanup}.
|
|
|
|
PuTTY does not transmit your saved session data to any other site.
|
|
However, you may need to be aware of the fact that it is stored on
|
|
\e{your} computer. (For example, somebody else accessing your computer
|
|
might be able to find a list of sites you have connected to, if you
|
|
have saved details of them.)
|
|
|
|
\S{privacy-hostkeys} Host key cache
|
|
|
|
If you use the SSH protocol, then PuTTY stores a list of the SSH
|
|
servers you have connected to, together with their host keys.
|
|
|
|
This is known as the \q{host key cache}. It is used to detect network
|
|
attacks, by notifying you if a server you've connected to before
|
|
doesn't look like the same one you thought it was. (See \k{gs-hostkey}
|
|
for a basic introduction to host keys.)
|
|
|
|
The host key cache is optional. An entry is only saved in the host key
|
|
cache if you select the \q{Accept} action at one of the PuTTY suite's
|
|
host key verification prompts. So if you want to make an SSH
|
|
connection without PuTTY saving any trace of where you connected to,
|
|
you can press \q{Connect Once} instead of \q{Accept}, which does not
|
|
store the host key in the cache.
|
|
|
|
However, if you do this, PuTTY can't automatically detect the host key
|
|
changing in the future, so you should check the key fingerprint
|
|
yourself every time you connect. \s{This is vitally important.} If you
|
|
don't let PuTTY cache host keys \e{and} don't check them yourself,
|
|
then it becomes easy for an attacker to interpose a listener between
|
|
you and the server you're connecting to. The entire cryptographic
|
|
system of SSH depends on making sure the host key is right.
|
|
|
|
The host key cache is only used by SSH. No other protocol supported
|
|
by PuTTY has any analogue of it.
|
|
|
|
\S{privacy-savedsessions} Saved sessions
|
|
|
|
After you set up PuTTY's configuration for a particular network
|
|
connection, you can choose to save it as a \q{saved session}, so that
|
|
you can make the same connection again later without having to
|
|
re-enter all the details.
|
|
|
|
PuTTY will not do this unless you use the \q{Save} button in its
|
|
configuration box. It never saves session configuration automatically.
|
|
|
|
So if you want to make an SSH connection without leaving any trace of
|
|
where you connected to, you should not make a saved session for that
|
|
connection. Instead, re-enter the details by hand every time you do
|
|
it.
|
|
|
|
\S{privacy-jumplist} Jump list
|
|
|
|
On Windows, the operating system provides a feature called a \q{jump
|
|
list}. This is a menu that pops up from an application's icon in the
|
|
Windows taskbar, and the application can configure entries that appear
|
|
in it. Applications typically include menu items to re-launch recently
|
|
used documents or configurations.
|
|
|
|
PuTTY updates its jump list whenever a saved session is loaded, either
|
|
to launch it immediately or to load it within the configuration dialog
|
|
box. So if you have a collection of saved sessions, the jump list will
|
|
contain a record of which ones you have recently used.
|
|
|
|
An exception is that saved sessions are not included in the jump list
|
|
if they are not \q{launchable}, meaning that they actually specify a
|
|
host name or serial port to connect to. A non-launchable session can
|
|
specify all the other configuration details (such as fonts, window
|
|
size, keyboard setup, SSH features, etc), but leave out the hostname.
|
|
|
|
If you want to avoid leaving any evidence of having made a particular
|
|
connection, then make the connection without creating a launchable
|
|
saved session for it: either make no saved session at all, or create a
|
|
non-launchable one which sets up every detail \e{except} the
|
|
destination host name. Then it won't appear in the jump list.
|
|
|
|
(The saved session itself would also be evidence, of course, as
|
|
discussed in the previous section.)
|
|
|
|
\S{privacy-logfiles} Log files
|
|
|
|
PuTTY can be configured to save a log file of your entire session to
|
|
the computer you run it on. By default it does not do so: the content
|
|
of your session is not saved.
|
|
|
|
See \k{config-logging} for details of the logging features. Some
|
|
logging modes store only output sent by the server and printed in
|
|
PuTTY's terminal window. Other more thorough modes also store your
|
|
input that PuTTY sends \e{to} the server.
|
|
|
|
If the logging feature is enabled, then by default, PuTTY will avoid
|
|
saving data in the log file that it knows to be sensitive, such as
|
|
passwords. However, it cannot reliably identify \e{all} passwords. If
|
|
you use a password for your initial login to an SSH server, PuTTY
|
|
knows that is a password, and will omit it from the log file. But if
|
|
after login you type a password into an application on the server,
|
|
then PuTTY will not know that \e{that} is a password, so it will
|
|
appear in the log file, if PuTTY is writing a type that includes
|
|
keyboard input.
|
|
|
|
PuTTY can also be configured to include all passwords in its log
|
|
files, even the ones it would normally leave out. This is intended for
|
|
debugging purposes, for example if a server is refusing your password
|
|
and you need to check whether the password is being sent correctly. We
|
|
do not recommend enabling this option routinely.
|
|
|
|
\S{privacy-randomseed} Random seed file
|
|
|
|
PuTTY stores a small file of random bytes under the name
|
|
\cq{putty.rnd}, which is reloaded the next time it is run and used to
|
|
seed its random number generator. These bytes are meaningless and
|
|
random, and do not contain an encrypted version of anything.
|
|
|
|
\H{privacy-network} Sending information over the network
|
|
|
|
PuTTY is a communications tool. Its \e{purpose} is to connect to
|
|
another computer, over a network or a serial port, and send
|
|
information. However it only makes the network connections that its
|
|
configuration instructs it to.
|
|
|
|
\S{privacy-nophonehome} PuTTY only connects to the specified destination host
|
|
|
|
No PuTTY tool will \q{phone home} to any site under the control of us
|
|
(the development team), or to any other site apart from the
|
|
destination host or proxy host in its configuration, and any DNS
|
|
server that is needed to look up the IP addresses corresponding to
|
|
those host names.
|
|
|
|
No information about your network sessions, and no information from
|
|
the computer you run PuTTY on, is collected or recorded by the PuTTY
|
|
developers.
|
|
|
|
Information you provide to PuTTY (via keyboard input, the command
|
|
line, or files loaded by the file transfer tools) is sent to the
|
|
server that PuTTY's configuration tells it to connect to. It is not
|
|
sent anywhere else.
|
|
|
|
\S{privacy-whatdata} What data is sent to the destination host
|
|
|
|
When you log in to a server, PuTTY will send your username. If you use
|
|
a password to authenticate to the server, PuTTY will send it that
|
|
password as well.
|
|
|
|
(Therefore, the server is told what your password is during login.
|
|
This means that if you use the same password on two servers, the
|
|
administrator of one could find out your password and log in to your
|
|
account on the other.)
|
|
|
|
If you use an SSH private key to authenticate, PuTTY will send the
|
|
\e{public} key, but not the private key. If you typed a passphrase to
|
|
decrypt the private key, PuTTY will not send the passphrase either.
|
|
|
|
(Therefore, it is safer to use the same \e{public key} to authenticate
|
|
to two SSH servers. Neither server gains the ability to impersonate
|
|
you to the other server. However, if the server maintainers talked to
|
|
each other, they would at least be able to find out that your accounts
|
|
on the two machines were owned by the same person, if they didn't
|
|
already know.)
|
|
|
|
When PuTTY prompts for a private key passphrase, a small copy of the
|
|
PuTTY icon appears to the left of the prompt, to indicate that the
|
|
prompt was genuinely from PuTTY. (We call this a \q{trust sigil}.)
|
|
That icon never appears next to text sent from the server. So if a
|
|
server tries to mimic that prompt to trick you into telling it your
|
|
private key passphrase, it won't be able to fake that trust sigil, and
|
|
you can tell the difference.
|
|
|
|
If you're running Pageant, and you haven't configured a specific
|
|
public key to authenticate to this server, then PuTTY will try all the
|
|
keys in Pageant one after the other, sending each public key to the
|
|
server to see if it's acceptable. This can lead to the server finding
|
|
out about other public keys you own. However, if you configure PuTTY
|
|
to use a specific public key, then it will ignore all the other keys
|
|
in Pageant.
|
|
|
|
Once you have logged in, keystrokes you type in the PuTTY terminal
|
|
window, and data you paste in with the mouse, are sent to the
|
|
destination host. That is PuTTY's primary job.
|
|
|
|
The server can request PuTTY to send details of mouse movements in the
|
|
terminal window, in order to implement mouse-controlled user
|
|
interfaces on the server. If you consider this to be a privacy
|
|
intrusion, you can turn off that terminal feature in the Features
|
|
configuration panel (\q{Disable xterm-style mouse reporting}, as
|
|
described in \k{config-features-mouse}).
|
|
|
|
\H{privacy-config} Configuration
|
|
|
|
The operation of a PuTTY network tool is controlled by its
|
|
configuration. This configuration is obtained from:
|
|
|
|
\b the command line used to run the tool
|
|
|
|
\b settings configured in the GUI before opening a network session
|
|
|
|
\b optionally, the contents of a saved session, if the command line
|
|
or a GUI action instructed PuTTY to load one
|
|
|
|
\b the special saved session called \q{Default Settings}, which
|
|
applies if no other saved session is loaded
|
|
|
|
\b defaults built in to PuTTY itself.
|
|
|
|
The defaults built in to PuTTY do not tell it to save log files, or
|
|
specify the name of any network site to connect to.
|
|
|
|
However, if PuTTY has been installed for you by somebody else, such as
|
|
an organisation, then that organisation may have provided their own
|
|
default configuration. In that situation you may wish to check that
|
|
the defaults they have set are compatible with your privacy needs. For
|
|
example, an organisation providing your PuTTY configuration might
|
|
configure PuTTY to save log files of your sessions, even though
|
|
PuTTY's own default is not to do so.
|
|
|
|
\H{privacy-modified} Modified versions of PuTTY
|
|
|
|
PuTTY is free software. Its source code is available, so anyone can
|
|
make a modified version of it. The modified version can behave
|
|
differently from the original in any way it likes.
|
|
|
|
This list of privacy considerations only applies to the original
|
|
version of PuTTY, as distributed by its development team. We cannot
|
|
make any promises about the behaviour of modified versions distributed
|
|
by other people.
|