putty/doc/privacy.but

\A{privacy} PuTTY privacy considerations

This appendix lists the implications of using PuTTY for your privacy
and personal data.

The short summary: PuTTY never \q{phones home} to us, the developers.
It does store data on your own computer, and it does transmit data
over the network, but in both cases, only as necessary to do its job.
In particular, data is only transmitted over the network to the server
you told PuTTY to connect to.

But if you're concerned about exactly \e{what} information is stored
or transmitted, then here's a more detailed description.

\H{privacy-local}Information that PuTTY stores locally

When you use PuTTY, it stores a small amount of information on your
computer, necessary for doing its own job. This information is stored
in the user account of the user who runs PuTTY, so it is under your
control: you can view it, change it, or delete it.

If you need to delete all of this data, you can use the \c{-cleanup}
command-line option, as described in \k{using-cleanup}.

PuTTY does not transmit your saved session data to any other site.
However, you may need to be aware of the fact that it is stored on
\e{your} computer. (For example, somebody else accessing your computer
might be able to find a list of sites you have connected to, if you
have saved details of them.)

\S{privacy-hostkeys} Host key cache

If you use the SSH protocol, then PuTTY stores a list of the SSH
servers you have connected to, together with their host keys.

This is known as the \q{host key cache}. It is used to detect network
attacks, by notifying you if a server you've connected to before
doesn't look like the same one you thought it was. (See \k{gs-hostkey}
for a basic introduction to host keys.)

The host key cache is optional. An entry is only saved in the host key
cache if you select the \q{Accept} action at one of the PuTTY suite's
host key verification prompts. So if you want to make an SSH
connection without PuTTY saving any trace of where you connected to,
you can press \q{Connect Once} instead of \q{Accept}, which does not
store the host key in the cache.

However, if you do this, PuTTY can't automatically detect the host key
changing in the future, so you should check the key fingerprint
yourself every time you connect. \s{This is vitally important.} If you
don't let PuTTY cache host keys \e{and} don't check them yourself,
then it becomes easy for an attacker to interpose a listener between
you and the server you're connecting to. The entire cryptographic
system of SSH depends on making sure the host key is right.

The host key cache is only used by SSH. No other protocol supported
by PuTTY has any analogue of it.

\S{privacy-savedsessions} Saved sessions

After you set up PuTTY's configuration for a particular network
connection, you can choose to save it as a \q{saved session}, so that
you can make the same connection again later without having to
re-enter all the details.

PuTTY will not do this unless you use the \q{Save} button in its
configuration box. It never saves session configuration automatically.

So if you want to make an SSH connection without leaving any trace of
where you connected to, you should not make a saved session for that
connection. Instead, re-enter the details by hand every time you do
it.

\S{privacy-jumplist} Jump list

On Windows, the operating system provides a feature called a \q{jump
list}. This is a menu that pops up from an application's icon in the
Windows taskbar, and the application can configure entries that appear
in it. Applications typically include menu items to re-launch recently
used documents or configurations.

PuTTY updates its jump list whenever a saved session is loaded, either
to launch it immediately or to load it within the configuration dialog
box. So if you have a collection of saved sessions, the jump list will
contain a record of which ones you have recently used.

An exception is that saved sessions are not included in the jump list
if they are not \q{launchable}, meaning that they actually specify a
host name or serial port to connect to. A non-launchable session can
specify all the other configuration details (such as fonts, window
size, keyboard setup, SSH features, etc), but leave out the hostname.

If you want to avoid leaving any evidence of having made a particular
connection, then make the connection without creating a launchable
saved session for it: either make no saved session at all, or create a
non-launchable one which sets up every detail \e{except} the
destination host name. Then it won't appear in the jump list.

(The saved session itself would also be evidence, of course, as
discussed in the previous section.)

\S{privacy-logfiles} Log files

PuTTY can be configured to save a log file of your entire session to
the computer you run it on. By default it does not do so: the content
of your session is not saved.

See \k{config-logging} for details of the logging features. Some
logging modes store only output sent by the server and printed in
PuTTY's terminal window. Other more thorough modes also store your
input that PuTTY sends \e{to} the server.

If the logging feature is enabled, then by default, PuTTY will avoid
saving data in the log file that it knows to be sensitive, such as
passwords. However, it cannot reliably identify \e{all} passwords. If
you use a password for your initial login to an SSH server, PuTTY
knows that is a password, and will omit it from the log file. But if
after login you type a password into an application on the server,
then PuTTY will not know that \e{that} is a password, so it will
appear in the log file, if PuTTY is writing a type that includes
keyboard input.

PuTTY can also be configured to include all passwords in its log
files, even the ones it would normally leave out. This is intended for
debugging purposes, for example if a server is refusing your password
and you need to check whether the password is being sent correctly. We
do not recommend enabling this option routinely.

\S{privacy-randomseed} Random seed file

PuTTY stores a small file of random bytes under the name
\cq{putty.rnd}, which is reloaded the next time it is run and used to
seed its random number generator. These bytes are meaningless and
random, and do not contain an encrypted version of anything.

\H{privacy-network} Sending information over the network

PuTTY is a communications tool. Its \e{purpose} is to connect to
another computer, over a network or a serial port, and send
information. However it only makes the network connections that its
configuration instructs it to.

\S{privacy-nophonehome} PuTTY only connects to the specified destination host

No PuTTY tool will \q{phone home} to any site under the control of us
(the development team), or to any other site apart from the
destination host or proxy host in its configuration, and any DNS
server that is needed to look up the IP addresses corresponding to
those host names.

No information about your network sessions, and no information from
the computer you run PuTTY on, is collected or recorded by the PuTTY
developers.

Information you provide to PuTTY (via keyboard input, the command
line, or files loaded by the file transfer tools) is sent to the
server that PuTTY's configuration tells it to connect to. It is not
sent anywhere else.

\S{privacy-whatdata} What data is sent to the destination host

When you log in to a server, PuTTY will send your username. If you use
a password to authenticate to the server, PuTTY will send it that
password as well.

(Therefore, the server is told what your password is during login.
This means that if you use the same password on two servers, the
administrator of one could find out your password and log in to your
account on the other.)

If you use an SSH private key to authenticate, PuTTY will send the
\e{public} key, but not the private key. If you typed a passphrase to
decrypt the private key, PuTTY will not send the passphrase either.

(Therefore, it is safer to use the same \e{public key} to authenticate
to two SSH servers. Neither server gains the ability to impersonate
you to the other server. However, if the server maintainers talked to
each other, they would at least be able to find out that your accounts
on the two machines were owned by the same person, if they didn't
already know.)

When PuTTY prompts for a private key passphrase, a small copy of the
PuTTY icon appears to the left of the prompt, to indicate that the
prompt was genuinely from PuTTY. (We call this a \q{trust sigil}.)
That icon never appears next to text sent from the server. So if a
server tries to mimic that prompt to trick you into telling it your
private key passphrase, it won't be able to fake that trust sigil, and
you can tell the difference.

If you're running Pageant, and you haven't configured a specific
public key to authenticate to this server, then PuTTY will try all the
keys in Pageant one after the other, sending each public key to the
server to see if it's acceptable. This can lead to the server finding
out about other public keys you own. However, if you configure PuTTY
to use a specific public key, then it will ignore all the other keys
in Pageant.

Once you have logged in, keystrokes you type in the PuTTY terminal
window, and data you paste in with the mouse, are sent to the
destination host. That is PuTTY's primary job.

The server can request PuTTY to send details of mouse movements in the
terminal window, in order to implement mouse-controlled user
interfaces on the server. If you consider this to be a privacy
intrusion, you can turn off that terminal feature in the Features
configuration panel (\q{Disable xterm-style mouse reporting}, as
described in \k{config-features-mouse}).

\H{privacy-config} Configuration

The operation of a PuTTY network tool is controlled by its
configuration. This configuration is obtained from:

\b the command line used to run the tool

\b settings configured in the GUI before opening a network session

\b optionally, the contents of a saved session, if the command line
or a GUI action instructed PuTTY to load one

\b the special saved session called \q{Default Settings}, which
applies if no other saved session is loaded

\b defaults built in to PuTTY itself.

The defaults built in to PuTTY do not tell it to save log files, or
specify the name of any network site to connect to.

However, if PuTTY has been installed for you by somebody else, such as
an organisation, then that organisation may have provided their own
default configuration. In that situation you may wish to check that
the defaults they have set are compatible with your privacy needs. For
example, an organisation providing your PuTTY configuration might
configure PuTTY to save log files of your sessions, even though
PuTTY's own default is not to do so.

\H{privacy-modified} Modified versions of PuTTY

PuTTY is free software. Its source code is available, so anyone can
make a modified version of it. The modified version can behave
differently from the original in any way it likes.

This list of privacy considerations only applies to the original
version of PuTTY, as distributed by its development team. We cannot
make any promises about the behaviour of modified versions distributed
by other people.