Skip to content(if available)orjump to list(if available)

Hijacking Trust? Bitvise Under Fire for Controlling Domain of FOSS Project PuTTY

Hijacking Trust? Bitvise Under Fire for Controlling Domain of FOSS Project PuTTY

53 comments

·July 16, 2025
Visit

asimops

I don't get it. The putty website has always been https://www.chiark.greenend.org.uk/~sgtatham/putty/

This has never changed.

Just because someone likes to use short circuit routing in their head doesn't make putty.org the official site for putty.

That is the same attitude as telling the Keepass folks that https://keepass.info/ is wrong...

edit:

Maybe also have a look at the putty FAQ, especially 9.3

https://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#...

ColinWright

Point of information.

From that doc:

A.9.3 Would you like me to register you a nicer domain name?

No, thank you. Even if you can find one (most of them seem to have been registered already, by people who didn't ask whether we actually wanted it before they applied), we're happy with the PuTTY web site being exactly where it is. It's not hard to find (just type ‘putty’ into google.com and we're the first link returned) ...

Searching for "putty ssh" on both DDG and Google now return putty.org as their top result.

whywhywhywhy

It's not even on the screen for me when searching "putty"

1: putty.org

2: "People also ask, What is putty and why is it used?" then 4 other questions about the material putty taking up most of the page

3: Videos "How to use Putty to SSH on Windows"

----- Fold -----

4. Video "How to Use Putty?"

5: Video "How to SSH Without a Password with Putty"

6: https://www.chiark.greenend.org.uk/~sgtatham/putty/ the actual site

asimops

This is definitely something that should be raised to the putty team. But with how the rest of the text is worded, I doubt that will change their mind.

peanut-walrus

Huh weird, usually top 3 results are "sponsored" links serving malware.

asimops

Might be one of those weirdos using an ad blocker ;)

ColinWright

Here's a framing of the problem.

There's software called PuTTY, and non-technical or less technical people, or even technical people who are running on autopilot, might reasonably expect that it's hosted on putty.org.

They just need to be more careful.

Here's an analogy.

Even capable programmers keep screwing up when using C and end up with memory leaks and security vulnerabilities. But that's no reason to stop using it ... people should just be more careful.

No analogy is perfect, every example has problems and loopholes, but this seems a reasonable one. Just as people should use programming languages that make it harder to make mistakes, so companies should not behave in deceptive manners, and when they do, they should be called out on it.

112233

It is good analogy.

Similarly, telcos keep accepting and showing any cooked up caller ID over their SS7, and when someone gets scammed because they trusted the caller ID, the messaging I hear always actually is "people should just be more careful."

Same as banks requiring only card number to give someone money from the account. "you shoul be more careful with your card number."

It is sad to hear the level of victim blaming from the big industry.

asimops

I don't think the issue really stems from putty.org being there. It stems from a "trusted" third-party, the search engine, suggesting you the wrong place.

Therefore I think you are missing the point with your analogy.

richrichardsson

Except Google, DuckDuckGo, Bing all return putty.org as the top result. The "official" PuTTY website appears as either the 2nd or 3rd result.

putty.org has this on their page:

> On July 13, 2025, Bitvise was contacted by a political interrogator posing as a journalist.

They are doing a great job of making themselves look like assholes.

asimops

IMHO neither of the two showed exactly nice behavior. But I don't think that this is particularly relevant.

sdflhasjd

Google (not saying it's a good search engine, but people use it) puts putty.org at the top of search results.

The results shows as:

  Download PuTTY - a free SSH and telnet client for Windows.
  PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows platform. PuTTY is open source software that is available with source...

TonyTrapp

How does your example relate? keepass.info is the official Keepass website, owned by the Keepass developer.

asimops

As is https://www.chiark.greenend.org.uk/~sgtatham/putty/ to Putty.

Still there were multiple requests to the Keepass project to change that domain to "a proper" domain like keepass.com

stavros

I, too, took your comment to mean that keepass.info is to KeePass as putty.org is to PuTTY.

mnaimd

> “The difference is not one of profit, it is one of philosophy. You believe software can be managed by a committee. I believe software requires an owner, otherwise it is dead.”

This justification is even worse than the domain squatting itself.

Some of the most influential software in history (Linux, Git, GCC, and yes, PuTTY) thrived under community-driven development. The idea that software "dies" without a single corporate owner is not just false, it’s insulting to the open-source ecosystem.

If Bitvise truly believes in their philosophy, they wouldn’t need to borrow PuTTY’s reputation by holding putty.org. Maybe they should spend less time on branding and more time studying how successful open-source projects actually work.

TrevorStepnikkk

I see where you're coming from, but I think your examples actually prove the opposite point.

I've always seen Linux and Git not as projects run by a committee, but as projects guided by a single, trusted leader. Linus Torvalds is the owner of the kernel's vision. He has the final say. That isn't community consensus; it's benevolent dictatorship.

So while the putty.org situation is shady, I believe the core idea is right: great software needs a final arbiter with a clear vision, not just a crowd.

goku12

I seriously doubt that they're talking about leadership when they say ownership. Otherwise it would make little sense because few foss projects are democracies anyway.

bstsb

both sides are at fault here (the "journalist" and Bitvise - the PuTTY maintainers have nothing to do with this).

the Bitvise owner shouldn't have responded so unprofessionally, and their views on open source software are strange - but they're correct that the domain was never "historically associated with PuTTY", it just uses its name.

additionally, the usage of unformatted markdown in each "journalist" email makes me think this story was at least partially assisted by an LLM (https://putty.org/20250713-MiraiF-Emails.txt)

in short this is a nothing story

tojumpship

LLM written, spurring up controversy, holding a private company accountable like they are the government. If they - PuTTY - is bothered enough, they are allowed to sue or request a takedown, and if legal grounds are not viable I don't think Google would mind ranking the correct website up after request. This "issue" has been present for years and this journalist picks up on it, presses on the guy as if he was in the Panama Papers or something and writes the article with newgen LLM no less. Disgraceful.

ptx

> The domain, long associated by users with PuTTY [...] a domain name that clearly and historically signals the PuTTY project

This seems a bit misleading. The domain has never, as far as I know, belonged to the project, so it can only have been "long associated" in the minds of users mistakenly trying to guess the URL and "historically" navigating to the wrong website.

> “The PuTTY project never had this domain”

Right.

> Search engines treat domain names like putty.org as authoritative.

Do they? Domain names "like" putty.org in what sense? Which search engines, by what mechanism?

greatgib

Here they think that what is doing Bitvise is legal but I think that it might not be the case in the law of a number of countries and even possibly in domain names "regulation"?

This is parasitism, or deceptive practice to hold the domain name of a competitor claiming your are to be associated with the other project.

fanf2

[delayed]

lmz

Certainly it's one basis for dispute (but only if it is trademarked): https://www.wipo.int/amc/en/domains/

mieses

extremely subjective. the damage of allowing schoolmarm types to determine laws based on what they think is parasitic or deceptive is more dangerous than the unambiguous and coherent concept of property. PuTTY owns https://www.chiark.greenend.org.uk/~sgtatham/putty/ There are a number of strings in this domain that cause me great distress. Should I be allowed to seize their property?

brabel

What a ridiculous argument. Every project and company that has a trademark should be allowed to protect that, including by claiming domains clearly intended to appear associated with their trademark. Being offended by strings has nothing to do with that and it’s childish to try to derail the conversation like that.

andreareina

Related: https://news.ycombinator.com/item?id=44558328 "putty.org is not run by PuTTY developers"

charcircuit

Under fire from who? That "journalist"?

It's best to just ignore them instead of trying to play their games.

fifteen1506

Look, I understand. Excess of information leads people to start skimming all text. But look:

"Below suggestions are independent of PuTTY. They are not endorsements by the PuTTY project."

Above of this is a direct link to PuTTY's website.

I'm afraid this is a non-issue. Sure, you are free to rant, and I appreciate the good intentions behind it, but count me out on raging.

www.putty.org SHOULD be the correct address. Failing that, LINKING to the correct website is an acceptable measure, specially when such linking is on top.

Want to blame someone? Blame SEO, where a decent 2000 website with no issues whatsoever is pushed down the results.

HourOrTwo

[dead]

msgodel

I don't think Bitvise is even doing anything wrong here? There's nothing wrong with running what is essentially a fan site and promoting your own things on it.

SpaceNugget

It's a company who bought the domain of the exact name of the largest open source project that they directly compete with and then advertise themselves on it? This is at the very least unethical. You can't just use a competitors exact name to run a website that tries to snipe users looking for your competitor and call it a "fan site".

The comments on this submission are pretty strange. What are the chances that a bunch of non-sockpuppet HN type of people are in support of this kind of garbage? Generally with sort of abysmal behaviour like the email communication in the article, there's people going to bat against actually defensible actions purely in the name of civility on HN. These bitvise people seem bad from both angles and yet the of early comments are either ignoring the issue and redirecting (e.g. "who even uses putty") or outright defending their shitty behaviour?

whywhywhywhy

It's definitely unethical but the creator of Putty keeps insisting and repeating that the Putty website is the long old homepage style URL and "always has been" and "if people search they can find it".

I think if they actually have a problem with it and are not just repeating that to cope they need to start acting like they have a problem with it. Trademarks need defending and you come out the door with the mental model that it's yours, you own it, the other group are in the wrong. If you opened your trademark dispute with "Well our trademark has always been X and people know to find us at X" you're gonna lose your dispute.

It's just hard to argue it's actually a real problem if the individual it's affecting keeps sort of pretending and saying that it's not even if deep down it is.

msgodel

You can buy domain names with competitors names in them. People do this all the time. If you don't want people doing that you need to register the names yourself.

ColinWright

So someone who has written something and made it available for the common good, and makes no money from it, should now go and buy every possible domain that people might use in a deceptive manner.

This is a great example of what drives people away from providing anything for free.

Eldt

That's a good way to lose your domain name

fifteen1506

It's a free ad!

udev4096

Who uses putty anyway? Doesn't winblows have a native ssh client?

thyristan

Yes, but an outdated and broken version usually. You'd have to install mingw or cygwin for a proper one, or use a Linux VM like w4lv2.

112233

I use putty on linux. now what?

mrweasel

I hope you do, that would be pretty funny. Like using PowerShell as your shell on Linux.

112233

I'll bite. What is your preferred way to use serial port console on linux? Kermit? I am really no fan of minicom...

Also, I'd take pterm over modern gpu electron nodejs turtle tower terminals. It has sane requirements and perfomance, behaves in a consistent, predictable manner and handles large scrollback very well.

Why bad?

udev4096

No one in their right mind would use powershell core. zsh, fish and plenty of other shells are way mature and doesn't have Microshit behind it

udev4096

Then you shouldn't use linux. Go back to winblows

msgodel

Putty isn't just ssh, it's also the VTE and serial terminal. Also it has its own keys/configs/shortcuts people are almost certainly used to. I don't think there's even an easy way to migrate putty shortcuts (I can't remember what they're called) to OpenSSH.

udev4096

I forgot. Windows users are so inefficient that they require a GUI for doing just about anything. Have fun being inefficient!

msgodel

It's a different paradigm. I think just like they do sometimes we get lost in our own world. They had CUA and portable apps before malware became a big deal and got really used to that.

I think people should respect that try harder to meet users where they are.