|
Title: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 04:38:13 PM Guys,i need hash confirmation of latest Electrum release:-
electrum-3.3.2-portable.exe Hashes i have are:- SHA256 22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be SHA1 312afce51cbd22e8e6a93cc5611e03c14995172f MD5 5e9bf05766292e74ebfb08baf15888a2 Please confirm,if i have the correct file and hashes. :) Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 06:33:32 PM would be great, if somebody answers. i need to do some high value tranx. Thanks. :)
Title: Re: Electrum Hashes Post by: TryNinja on December 27, 2018, 06:48:43 PM It's probably better if you verify the PGP Signatures with ThomasV's pubkey.
1. Import ThomasV's pubkey: Code: gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6 2. Verify if it's imported: Code: gpg --fingerprint 0x2BD5824B7F9470E6 3. Download the signature file on the website (https://electrum.org/#download). 4. Verify with: Code: gpg --verify signatureFile.asc electrum-3.3.2-portable.exe Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 06:53:35 PM Hey TryNinja, thanks for the reply.
i use a windows system & cant do these commands. also- i dont want to install additional softwares like gpg4win etc. what i can do is, use the inbuilt certUtil in Windows cmd to do sha256, sha1, md5 hashes. it would be truly great, if you please do a quick hash of the file and post below. thanks. :) Title: Re: Electrum Hashes Post by: TryNinja on December 27, 2018, 07:00:52 PM Hey TryNinja, thanks for the reply. Well, you shouldn't completely trust me, but I did get the hash of my electrum-3.3.2-portable.exe file downloaded from Electrum.org;i use a windows system & cant do these commands. also- i dont want to install additional softwares like gpg4win etc. what i can do is, use the inbuilt certUtil in Windows cmd to do sha256, sha1, md5 hashes. it would be truly great, if you please do a quick hash of the file and post below. thanks. :) SHA256 Code: 22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be SHA1 Code: 312afce51cbd22e8e6a93cc5611e03c14995172f MD5 Code: 5e9bf05766292e74ebfb08baf15888a2 TLDR: They match. Title: Re: Electrum Hashes Post by: grtthegreat on December 27, 2018, 07:01:06 PM I too used the inbuilt certUtil command and it returns the following hashes which match with your hashes.
Filename: electrum-3.3.2-portable.exe MD5: Code: 5e9bf05766292e74ebfb08baf15888a2 SHA1: Code: 312afce51cbd22e8e6a93cc5611e03c14995172f SHA256: Code: 22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be SHA384: Code: 9fa3af5e26d8dd9d0311bfacd73c8b075bec199fc7cf8785f927603cf6828dac9982584a1e11c1327470f40f7908a147 SHA512: Code: ed972ab31f54092a4e31536d174dd2db7183d3e0a15fdad8ff85e2f9d4cb27da00075dc4a443f4a508f3fa450c43683c0b8b0f69bd23f787a337ef486890e7c8 MD2: Code: 91999e519d48200f4e66b3c8444aee42 MD4: Code: 04c1107f659a6dbfeb713a98015a7410 Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 07:02:32 PM Cool! So these matches mine hashes. Thanks.
I dont know why, but a hash search on virus total is showing up scary results (trojans, malware!!) here is the link:- https://www.virustotal.com/#/file/22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be/detection Title: Re: Electrum Hashes Post by: TryNinja on December 27, 2018, 07:06:51 PM I dont know why, but a hash search on virus total is showing up scary results (trojans, malware!!) It's just a false positive. here is the link:- https://www.virustotal.com/#/file/22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be/detection The file is even signed by Electrum Technologies GmbH. Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 07:10:32 PM my thoughts as well. which server is the official server to connect to?
Title: Re: Electrum Hashes Post by: grtthegreat on December 27, 2018, 07:20:40 PM my thoughts as well. which server is the official server to connect to? Just read through this GitHub issue page (https://github.com/spesmilo/electrum/issues/4968). You will find some valuable information. Also, as a rule of thumb, do not click on the popup, in case one appears. The latest version is Electrum 3.3.2, stick to it whatsoever for now. Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 07:21:43 PM thanks guys. love you all.
Title: Re: Electrum Hashes Post by: HCP on December 27, 2018, 07:25:52 PM my thoughts as well. which server is the official server to connect to? There is no "official" server... there are just "public" servers available, that anyone is free to setup and run... If you are attempting to avoid the Electrum "fake error message" attack, it doesn't matter which server you connect to, they can't hack your wallet unless you download the fake version of Electrum.According to the above posts, your version of Electrum is legit, so just connect to any Electrum server and try to send your transaction. If you get the fake error message: https://ip.bitcointalk.org/?u=https%3A%2F%2Fi.imgur.com%2FBs9j4Iv.png&t=596&c=aG4NACDGWsKWbw IGNORE IT... DO NOT CLICK ON THE LINK! Then go and change the server to something else and try again. Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 07:28:32 PM how do i know, i am not connected to an attackers server? i have selected Auto connect.
Title: Re: Electrum Hashes Post by: TryNinja on December 27, 2018, 07:38:54 PM how do i know, i am not connected to an attackers server? i have selected Auto connect. From the main issue, those are the malicious servers (there could be others):Code: Attacker servers: [ You can see in which server you are by going to Tools -> Network. Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 07:40:23 PM so i need to be watching out for these servers. is it humanly possible to be constantly on watchout while being on Auto connect??!!
i thought electrum would be easy. guess i was wrong. Title: Re: Electrum Hashes Post by: TryNinja on December 27, 2018, 07:42:35 PM so i need to be watching out for these servers. is it humanly possible to be constantly on watchout while being on Auto connect??!! You could just select a trusted server instead of using Auto connect.i thought electrum would be easy. guess i was wrong. AFAIK all the server could do is block you from sending transactions (by giving it the error) and show that fake message. Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 07:45:10 PM what if they are brewing an advanced attack!
is there a list of honest servers i can manually connect to? Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 08:08:50 PM how is it not already sorted? i guess, electrum is the one of the oldest wallet out there.
this is scary. does anybody know how to find honest servers? Title: Re: Electrum Hashes Post by: HCP on December 27, 2018, 08:17:25 PM how is it not already sorted? i guess, electrum is the one of the oldest wallet out there. Fixing things "properly" takes time... the worst thing the devs could do is rush a "fix" that hasn't been properly tested that then turns out to make things worse!Quote this is scary. does anybody know how to find honest servers? There is no danger if you do not download and run the malicious software.If you connect to a server and it comes up with the error... connect to a different server. At worst all they can do is log your IP and addresses... but ANY Electrum server can already do this. They can't steal your BTC just by connecting to a "bad" server. electrum.hsmiths.com is one of the "oldest" Electrum servers that I know of... whether or not it is any more trustworthy than any other Electrum server, I have no way of knowing/confirming. Just pick one from the server list that IS NOT in the list posted above... Title: Re: Electrum Hashes Post by: gizmobuddy on December 27, 2018, 08:18:46 PM got it. thanks.
any other server guys? Title: Re: Electrum Hashes Post by: grtthegreat on December 28, 2018, 06:17:46 AM got it. thanks. any other server guys? I believe I've seen these servers for long: Code: VPS.hsmiths.com Title: Re: Electrum Hashes Post by: pooya87 on December 28, 2018, 06:20:57 AM what if they are brewing an advanced attack! is there a list of honest servers i can manually connect to? just FYI, there is no risk in connecting to any of those servers with your "real" Electrum wallet. they are in fact Electrum servers and they can't do anything to harm you. the only thing they do is that when you send a transaction they ask you to "click a link" and "download their malicious software". so don't click that link! other than that, as long as you know this, you don't have to worry about what server you connect to. but if you are so worried about it, you can not blacklist a server but you can force Electrum to always connect to one server. go to your network window and switch to network tab, deselect automatic connection and choose a server to connect to manually. Title: Re: Electrum Hashes Post by: rabbitfairferry on December 28, 2018, 09:00:19 AM what if they are brewing an advanced attack! is there a list of honest servers i can manually connect to? Yes interested in this as well. Title: Re: Electrum Hashes Post by: gizmobuddy on December 28, 2018, 10:28:58 AM what if they are brewing an advanced attack! is there a list of honest servers i can manually connect to? Yes interested in this as well. Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well? Title: Re: Electrum Hashes Post by: grtthegreat on December 28, 2018, 11:12:39 AM what if they are brewing an advanced attack! is there a list of honest servers i can manually connect to? Yes interested in this as well. Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well? Former -> You should be fine by connecting to any of those listed above. Latter -> No, there's nothing as an Official electrum server. Title: Re: Electrum Hashes Post by: gizmobuddy on December 28, 2018, 11:21:27 AM Request for future- Electrum Technologies GmbH and devs
PLEASE do something about this issue & at the very least run a "Official Electrum Server". The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys. Thanks. Title: Re: Electrum Hashes Post by: HCP on December 29, 2018, 12:47:58 AM PLEASE do something about this issue & at the very least run a "Official Electrum Server". I don't see any point in that... you're still having to trust a third party... if you REALLY want to trust the Electrum server you connect to, you should set up your own full node and run your own Electrum server.Quote The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys. Personally, I think the issue is being blown out of proportion a little bit...Electrum is still secure... this was really just social engineering by abusing a feature within Electrum. It still required that the user download, install and run malware. It's not really that different to buying Google advertising and setting up a fake Electrum website and tricking users into downloading your fake Electrum. I only ever download Electrum by going to electrum.org, downloading the executable... and then checking the file signatures are legit. That is probably the most crucial step! Title: Re: Electrum Hashes Post by: adaseb on December 31, 2018, 07:10:42 AM I am actually surprised that the developer doesn't post the hashes for the executables on his website or in the Electrum section of Bitcointalk.
Because I've had issues learning how to verify his signature within Windows. The linux method was easy because you just copy and paste a few commands but getting that windows PGP to verify the signature took a few hours to do correctly. I guess one reason why could be that with every new updates he would need to update the hashes each and every time, but doing it the PubKey PGP method as he does now, he doesn't need to. Title: Re: Electrum Hashes Post by: gizmobuddy on December 31, 2018, 07:50:11 AM ^ This. Exactly.
At the very least, hashes should be posted on the website or the release.txt How hard is it? I dont think it will take more then 5 minutes. Title: Re: Electrum Hashes Post by: Abdussamad on December 31, 2018, 09:40:21 AM Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.
Title: Re: Electrum Hashes Post by: pooya87 on January 01, 2019, 04:22:16 AM Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided. i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify. i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key. Title: Re: Electrum Hashes Post by: gizmobuddy on January 01, 2019, 06:09:56 PM Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided. i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify. i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key. can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes. Title: Re: Electrum Hashes Post by: pooya87 on January 02, 2019, 05:14:59 AM Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided. i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify. i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key. can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes. there is no point in doing that because if you want to be safe you still have to verify the PGP signature of the "hash file" so you still have to have the PGP public key of the developer, know how to verify signatures and have the application for doing that installed. so why bother with hashes in first place? not to mention that this model may lead to some lazy people skip the PGP signature verification step and stick to hash verification which is NOT enough for verifying authenticity of a downloaded file. hashes are only used for verifying "integrity" of a downloaded file and there is a big difference between the two concepts. Title: Re: Electrum Hashes Post by: bob123 on January 02, 2019, 09:01:19 AM this is scary. does anybody know how to find honest servers? If you want a server you can completely trust.. set up an own server. If you don't want to do this, you'll have to trust a server which is controlled by someone you don't know. Generally this isn't a problem since the server is only used to send transactions and to receive the current balance of your wallet. If you never click on any links and never download any software, you are fine. |
