Bitcoin Forum
November 19, 2024, 03:21:18 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Electrum clients older than 3.3 can no longer connect to public electrum servers  (Read 323 times)
bL4nkcode (OP)
Copper Member
Legendary
*
Offline Offline

Activity: 2142
Merit: 1307


Limited in number. Limitless in potential.


View Profile
March 15, 2019, 09:04:22 AM
Merited by Coding Enthusiast (2), ABCbits (1), hatshepsut93 (1)
 #1

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672
hatshepsut93
Legendary
*
Offline Offline

Activity: 3038
Merit: 2161


View Profile
March 15, 2019, 09:46:51 AM
 #2

I've opened my watch-only wallet today and freaked out a little bit when it failed to connect to multiple servers, but eventually I managed to connect to a server. So, it seems like the DOS is not total. Still, it's good to know that it's a white hat DOS, and even though I don't use Electrum for sending transactions on online machines, I'm still going to upgrade soon. Thanks for sharing!
Lucius
Legendary
*
Offline Offline

Activity: 3430
Merit: 6169


Eternal Thanks and Glory to the City of Heroes


View Profile WWW
March 15, 2019, 11:14:26 AM
 #3

This is finally something that will solve the problem with phishing messages, but unfortunately I think they waited too long to prevent hackers in their dirty game. Is this something what could have been done earlier, how complicated it is from the technical side to prevent old versions of Electrum to connect to public Electrum servers?

hatshepsut93, I use Electrum yesterday and I also notice that it took much longer time to connect to server. I am not sure how you still can connect with old version, probably this blocking is not working 100%.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Abdussamad
Legendary
*
Offline Offline

Activity: 3696
Merit: 1584



View Profile
March 15, 2019, 11:52:48 AM
 #4

It'll take time for good servers to roll out this new code. Once they do the scammers will have only one avenue left - they have to get you to connect to their server first!
G3nijalac
Member
**
Offline Offline

Activity: 120
Merit: 10


View Profile
March 15, 2019, 01:04:26 PM
Last edit: March 15, 2019, 01:28:50 PM by G3nijalac
 #5

so if I am using a version older than 3.3 can I still manualy connect to a server?

edit: "We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages." does this mean if i open my old version electrum it will automaticaly be forced to upgrade to the latest safe version?

Abdussamad
Legendary
*
Offline Offline

Activity: 3696
Merit: 1584



View Profile
March 15, 2019, 01:40:57 PM
Last edit: March 15, 2019, 02:04:26 PM by Abdussamad
 #6

old versions are unsafe so they are deploying this "fix" on good electrum servers. it means if you run an old version and happen to connect to a good server electrum will crash forcing you to seek help. when you do we will tell you to upgrade. so that's what you should do Smiley it's for your own good!

edit: the upgrade is not automatic. you have to download and install the latest version from electrum.org.
nc50lc
Legendary
*
Offline Offline

Activity: 2604
Merit: 6424


Self-proclaimed Genius


View Profile
March 16, 2019, 02:43:31 AM
 #7

This "fixbandage" is much much better than the "Good Messages" from legitimate servers which scared the heck out of the newbies.

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.
Or is it (are there) something else than Denial of Service?

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
pooya87
Legendary
*
Offline Offline

Activity: 3640
Merit: 11041


Crypto Swap Exchange


View Profile
March 16, 2019, 04:01:13 AM
 #8

is it just me or these days it seems like a new rather serious issue (bug) is being found in Electrum every week or so?!

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.
this was more of a bug that is being exploited and when they do it "kills" the network instance of your application and as far as i can understand it can no longer do anything else let alone connect to another server.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Abdussamad
Legendary
*
Offline Offline

Activity: 3696
Merit: 1584



View Profile
March 16, 2019, 07:07:39 AM
 #9

This "fixbandage" is much much better than the "Good Messages" from legitimate servers which scared the heck out of the newbies.

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.
Or is it (are there) something else than Denial of Service?

Yes if the first server they connect to is a bad one or an unpatched good one their clients will not crash. Also if they are using versions 3.3 - 3.3.2 they will still see the phishing messages if they are connected to a bad server and attempt to spend their bitcoins. However, with  version 3.3.2 the message is not rendered in rich text.

Once legit servers deploy this it'll greatly reduce the room attackers have to operate.
DireWolfM14
Copper Member
Legendary
*
Offline Offline

Activity: 2352
Merit: 4628


Join the world-leading crypto sportsbook NOW!


View Profile WWW
March 16, 2019, 01:14:16 PM
 #10

edit: the upgrade is not automatic. you have to download and install the latest version from electrum.org.

Wouldn't it be more secure to process updates through the software it's self, rather than rely on users going to the right website for download checking signatures?  Is that something the dev team is planning for future releases?

  ▄▄███████▄███████▄▄▄
 █████████████
▀▀▀▀▀▀████▄▄
███████████████
       ▀▀███▄
███████████████
          ▀███
 █████████████
             ███
███████████▀▀               ███
███                         ███
███                         ███
 ███                       ███
  ███▄                   ▄███
   ▀███▄▄             ▄▄███▀
     ▀▀████▄▄▄▄▄▄▄▄▄████▀▀
         ▀▀▀███████▀▀▀
░░░████▄▄▄▄
░▄▄░
▄▄███████▄▀█████▄▄
██▄████▌▐█▌█████▄██
████▀▄▄▄▌███░▄▄▄▀████
██████▄▄▄█▄▄▄██████
█░███████░▐█▌░███████░█
▀▀██▀░██░▐█▌░██░▀██▀▀
▄▄▄░█▀░█░██░▐█▌░██░█░▀█░▄▄▄
██▀░░░░▀██░▐█▌░██▀░░░░▀██
▀██
█████▄███▀▀██▀▀███▄███████▀
▀███████████████████████▀
▀▀▀▀███████████▀▀▀▀
█████████████LEADING CRYPTO SPORTSBOOK & CASINO█████████████
MULTI
CURRENCY
1500+
CASINO GAMES
CRYPTO EXCLUSIVE
CLUBHOUSE
FAST & SECURE
PAYMENTS
.
..PLAY NOW!..
Abdussamad
Legendary
*
Offline Offline

Activity: 3696
Merit: 1584



View Profile
March 16, 2019, 02:24:03 PM
 #11

idk. you can ask them on irc.

i know auto updates were rejected by bitcoin core because in the event of a compromise of their servers every user could become infected with malware.
Artemis3
Legendary
*
Offline Offline

Activity: 2030
Merit: 1573


CLEAN non GPL infringing code made in Rust lang


View Profile WWW
March 17, 2019, 01:20:30 AM
 #12

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Braiins Pool
TryNinja
Legendary
*
Offline Offline

Activity: 3024
Merit: 7444


Top Crypto Casino


View Profile WWW
March 17, 2019, 01:24:35 AM
 #13

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.
Unless people start falling for the scam (which actually happened and resulted in the loss of hundreds - if not thousands - of BTC). Just because you know this is a scam, doesn't mean others will.

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?
Yes. If they started doing this from day one, the damages would have been much smaller.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
pooya87
Legendary
*
Offline Offline

Activity: 3640
Merit: 11041


Crypto Swap Exchange


View Profile
March 17, 2019, 03:31:37 AM
 #14

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?
Yes. If they started doing this from day one, the damages would have been much smaller.

as far as i can tell there is no bug in the server side to be used to cause a crash anyways. this DoS attack that is being discussed here is on the client side and it was also found recently so it couldn't be used from early days either.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Abdussamad
Legendary
*
Offline Offline

Activity: 3696
Merit: 1584



View Profile
March 17, 2019, 11:21:51 AM
Merited by pooya87 (1)
 #15

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

It's a case of damned if you do and damned if you don't! People who lost money to the scam were cursing the developers and threatening to sue them so they had to do something. Now people are complaining that they have to update electrum!

Note that it's not just the phishing bug. The DoS bug they are exploiting is also there and there's a wallet file corruption bug that was fixed recently as well.
HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4361

<insert witty quote here>


View Profile
March 17, 2019, 10:05:36 PM
 #16

It's a case of damned if you do and damned if you don't! People who lost money to the scam were cursing the developers and threatening to sue them so they had to do something. Now people are complaining that they have to update electrum!

I think that the old quote from John Lydgate sums it up quite nicely...
Quote
“You can please some of the people all of the time, you can please all of the people some of the time, but you can’t please all of the people all of the time”.”
― John Lydgate

I can certainly understand why the devs chose this approach (exploiting a DoS vulnerability)... not sure I 100% agree with it, but I honestly can't think of anything else they could realistically have done... they'd already advertised about the previous "error message exploit" here, on twitter, on the official website etc... and still, weeks after the initial incident and patch, there are still users getting caught out. Undecided


█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!