There was no vulnerability above a 3.0/10 based on CVSS.

All a malicious server could do, is to show you a message. That's all. No influence on confidentiality, integrity, availability.
The security is (and was) high. At least as good as a software wallet can be. No influence at all.




Electrum is not an online wallet. It is a software- (or desktop-) wallet.

---

Edit:
If you can't find a server which is not under DoS and not malicious, ask mocacinno to whitelist your IP for his server.
He is voluntarily hosting an electrum server for the bitcointalk.org community.

The 'electrum botnet' (what a stupid name chosen from you) doesn't infect anything with malware.

I might get a lot of hate for this statement, but..
People who can't use their common sense and simply just click on 'download' and 'install' just because there is a known name mentioned somewhere,
should stay far far away from crypto and should never store any sensitive (or for them valuable) information on an electronic device.

Not just that the phishing attempt is very low-skilled, currently there is just a DoS going on.. no infection, no malware, no stealing funds.
If you have your wallet updated to v3.3.3+ (which you should..), you won't even get the cheap phishing message.. just switch to a different server and everything is fine..

There is so much wrong information posted.. i don't even know where to start.. anyways..



No, i am talking about standard home router (which includes a modulator/demodulator; basically a standard device almost everyone has at home).

The password itself depends on how the vendor sets it. But most of them simply use the MAC, pass it into a function and get a 'random'-looking password.
But there are definitely some where the password is the same on all devices shipped.. but it doesn't matter anyway.




A port scan is not the same as an IP scan.

When scanning for open ports (TCP/UDP), a lot of packets on different ports are being sent to one host(IP).
Based on the answer you can determine whether the port is open/closed/filtered (for tcp; udp works slightly different).

Anti DoS is to protect you against a Denial of Service. An attacker, again, needs your IP before starting an DoS.

Both has nothing to do with 'that no one will find your IP".


By the way.. there are just about 4.000.000.000 IP's world wide.
This number is low enough to scan EVERY IP. And given the fact that you can reduce that number by focusing on a smaller geo location (than just the whole world), this just gets even easier..

Your IP is nothing private and does NOT have to stay private.




If they already can access it, they don't need SSH.




If they are logged in as root via SSH, they do no longer need to retrieve the password.
If they are logged in as unprivileged user, they can NOT retrieve the root password (given there are no privilege escalation vulnerabilities).




There is no admin password of the ISP. There is a local administrator. You don't need any passwort from the Internet service provider...




WiMAX is basically 4g. This has nothing to do with a home router.
Also, ISP's are not protected.. the devices itself are (or aren't).




As mentioned.. Anti DoS does NOT protect against access.. It protects against DoS..




No. That's not true.
Just because someone has access to one device inside of your local network, this does NOT mean that they have access to all devices.


Your post consisted of so much wrong information.
Please research everything before posting here and spreading misinformation.

All half-way new router have a 'random' (not really random, more like derived from the MAC address) password.

But this doesn't matter anyway because router are (or better: should, if not misconfigured) not accessible from the internet.

There was a vulnerability (i think about 1-2 years ago) where some router were accessible from the internet due to a bug in a support protocol which should have been only accessible from the ISP network. This made them accessible from the internet.


The weak password can only be abused when in the same (local) network.. By the way.. passwords can be changed..

A lot of people are sitting behind a NAT of their ISP.
Disclosing this ip doesn't harm you security-wise since it is not publicly routeable anyway.

Even if you have a routable IP, it is not that necessary to keep your IP private. Any website (including all advertisments, javascripts they are running, etc..) can access/see your IP.
It is necessary to communicate with you.

Any service / software / etc. which you access via the internet does see your IP address (skype, bitcointalk.org, blockchain.com, DNS-server, electrum server, ledger's server, a VPN service provider, etc.. ).

If you don't have any open ports, you don't need to worry much. Set up a firewall properly, and you are fine.

A technical system can't prevent ALL kind of human mistakes.




Yes.

But since BCHSV uses the same address format as BTC, such an address is valid on the BCHSV and BTC network (and on other shitty forks of BTC as well).

Until exchanges are able to read the mind of their customer, there is no way to determine where the customer wanted to send the coins to.
If you are clicking on withdraw BTC and enter a valid BTC address, the system assumes you want to transfer BTC.. Just because on the other side, a different client is waiting for a different transaction to the same address, nothing is wrong on the sender side.

Nothing.

It has to do with your setup / configuration.
Maybe some permissions aren't correct (see Abdussamad's post), maybe something broke the dependencies, etc...

Hard to tell without investing time and checking your system configuration. And especially not necessary since electrum is running fine on your computer.

Well, this fully depends on the exchange.

I, personally, would say yes. Enough to attempt a recovery.

But in the end, the exchange (and mostly their security policy) decides what is going to happen.
I guess if they wouldn't recover your coins, they probably would have told you this already.
IMO you should get your coins back (minus a fee for recovery).

What do you define as 'trustworthy' ?

Each operator of an electrum server can decide what he wants to do (in terms of logging, relaying tx's, blocking tx's, .. ).

No server can steal any sensitive information from you (private keys, etc.. ).


If your electrum version is 3.3.3+ (which it should be), you don't have to fear the cheap phishing attempt showing a message to download malware.
As long as your transactions 'are working', the server you are using is fine to use.

No.

The process to 'recover' your BTC is to import the BCHSV private key associated with the address into a BTC client.
That's all you need to do to access them again.

However, since you do not own the private key (poloniex does), they are the only one being able to recover them.
It is completely up to them if (and for what fee) they recover your coins.

Exchanges often help their customer if the amount is high enough.
But it also would be completely understandable if they refuse to recover them, since this includes quite some risk on their site combined with additional work.
It all depends on their security model. Only a few people there have access to the private keys. Messing around with the private keys because of people not being able to read / choose the correct address and ignoring all warnings might or might not comply with their policy.


But regarding to their answer, they are trying to help you.
Technically, it is definitely possible.



It is, but noone else except for poloniex can help you regarding this.
The transaction id wouldn't help anyone.

You get the same error installing electrum as when trying to run electrum ? 
Are you sure ?




Yes.. this would have been quite handy to know 


But.. why do you want to install electrum, instead of just running the binary ?

Do you want to be able to start it directly from the console with electrum ?
In this case, you can just replace the current electrum binary which is being started with electrum:
Type: which electrum and replace the working binary with the one in this path (maybe back it up before).

Or do you want to be able to start it via your application menu ?
This can also be done quite easily. The exact procedure depends on your OS and Desktop environment.


These are the only 2 reasons - i can think of - why you might want to install electrum, instead of just running it from the binary.

Or is there another reason i am missing ?

OP mentioned a problem regarding the direct connection:



And in this case, a central server is one of the best solutions IMO.
Especially if the server (obviously with an own publicly routable IPv4 address) is hosted by alice or bob itself.

Without a publicly routable address, no direct connections can be established. You also can't get incoming connections on your bitcoin node without a publicly routable address.


But.. even if customer of major ISP's are sitting behind a NAT (mostly because all of them are short on IPv4 addresses), most of them do assign you a /64 network of IPv6 addresses.
And with IPv6 (given that both, alice and bob, are sitting behind a NAT and have an IPv6 address) a direct connection is possible again.

In this case a middle-man (doesn't matter whether centralized server or just a 3rd person used for routing) is not necessary.

I meant a double spending of an already confirmed transaction, not a double spend attempt on an unconfirmed transaction. I should have made this more clear.

A double spending of an already confirmed transaction won't be included by any miner (or else they would simply lose the block reward because the block won't be accepted as a valid one from the network).
However, a double spending of an unconfirmed transaction can definitely happen (and especially if the RBF-flag is set. A RBF-transaction basically is a double spending transaction with an increased fee).

Exposing a public key is fine.
You shouldn't expose your master public key (xpub) to not compromise your privacy.

The xpub is used to generate all public keys of your wallet (-> all addresses can be generated out of it).

But exposing single public keys is completely fine, privacy- and security-wise.

Yes.

If the transaction is valid -> add to mempool. If the transaction is invalid -> discard it.
If a transaction is recognized as a double spending transaction -> TX is not valid. Therefore it won't get added to the mempool.

For the future:
Please create a new thread if you have a question which is unrelated the OP or when the thread you want to post in is very old (1.5 years definitely is).
Necroposting in such a thread will just attract spammer.

May i ask what the use case would be ?

File sharing is nothing extra ordinary which has to be protected in several ways.

One could simply encrypt the file (e.g. asymmetrically or symmetrically with the decryption key being encrypted asymmetrically) and use any form of communication to transfer the file (email, fileserver, p2p network, centralized file hoster, direct TCP connection, etc.. ).


Am i missing something here ?

One (among multiple) option would be to use btcpy (https://github.com/chainside/btcpy).

It might be kind of an overkill because it handle much more, but it definitely is able to do what you need.

Did i ever mention it is a cryptocurrency exchange ? No.
But 'trading platform' implies that something is being traded.

He never mentioned how to handle deposits. He asked how to securely manage private keys on an online server. You still seem to lack the ability to understand what it is all about.

The main goal of a web service which handles user funds is to secure those funds. All of your so-called 'help' (a.k.a 'use HD wallet OP bro') doesn't help at all and is - in the best case - just spam.




We know that already. You made that more than clear.




A trading platform is not an online shop.
Please don't tell me that you don't even understand the difference between those two..


Since we are drifting off-topic too much and you simply don't understand the importance of security in a crypto-based trading platform, i will stop replying to you from now on.
It is not a help for anyone reading this thread, and neither are you able to learn from it.

Well, you obviously didn't read the OP properly (or you are not able to understand what you read):


Sure, i forgot.. trading platforms don't offer their user to withdraw their funds 




Yes. A trading platform which handles user funds is a 'simple web application'. 
You do realize that a trading platform consists of more than just assigning address to users in a database? 




I feel like this:

Number 3)
He is going to ruin his project, because... he makes sure that all of his funds won't get stolen ? Or because.. he does secure his coins ? 

Number 4) is retarded.
Because no one talked whether he generates the private keys randomly or using a seed (which makes it a HD wallet).
So the "another person" was just coming and posting off-topic shit noone cared about, showing off how slow-minded he is. No one was talking about HOW to create the private keys..

Number 5)
Bob is very sensitive about bullshit being posted by people who don't know what they are talking about (ali).


Also.. why are you so obsessed with these stupid merits 
You get merit for good posts.. why can't you just stop talking about merits? Is it because you are jealous that i am in the list of the most merited user on this forum - and you are not ?

I didn't see any extraordinary security measurements posted here in this thread  


All of these things count towards common sense..

Those should be very obvious..



Are there really people who do NOT encrypt their wallet file yet ?



Self explanatory..



This one is pretty obvious too..




This makes sense too, without any additional work.




Cold wallet as the more-secure option and strong passwords is also nothing new or extra ordinary.
'Binary' authentication seems weird, but thats the only point.




Falls under common sense, pretty much.



So, what do you exactly define as 'that level of security'.
These are very basic measurements to not be (almost) guaranteed to lose your coins.. And everyone should follow them.

Nothing has been mentioned which seems to be an overkill regarding security.
And nothing seems to be hard to accomplish at all.