Electrum replacement needed.

[TryNinja]

-snip-

Who cares about what Microsoft does? Their whole main product is a spyware (Windows). Stop using the “Microsft does” card all the time. We are presenting you FACTS. No expert is going to deny that PGP signatures are WAY safer than hash files verifications. Period.

uh Legendary you are smarter than Microsoft and Bill Gates

Look at what I found. Where is your god (Bill Gates) now?

The Microsoft Security Response Center uses this PGP key to sign all security notifications and encourages others to use this key when sending sensitive information to us. You should send all security vulnerability reports to secure@microsoft.com.

https://www.microsoft.com/en-us/msrc/pgp-key-msrc

stupid Legendary. Not just microsoft, most softwares companies signed their softwares. But why they just let users verify their files by hashes?

As soon as you download a malicious software from a fake page, the hashes on the *fake* page will also be fake. How the heck do you use an information from the fake page to verify itself as legit? It’s like asking a scammer if he is a scammer. If he says “no”, you instantly trust him.

By verificating the file signature, which was previously set up from a trusted source, you don’t depend the confirmation bis from a single untrusted source, which is a fake website.

If you still didn’t understand that (somehow), then you are a moron and I will not discuss with you anymore. I’m not that patient with ignorent prople like you. Goodbye.

[bob123]

You can always trust the source code.

DONT

 

A computer does EXACTLY what is written in the code.

If YOU can't read or understand it, it is your fault.

There is a good reason to "not show security alerts". This offers way too much room for exploitation and would create new potential attack vectors.

lol so microsoft and security companies are stupid because they show users security alerts

There is nothing which needs to be fixed currently.

yes because microsoft and security companies are stupid

Actually, the brains behind microsoft are very clever.
They are gathering more information from you than allowed by law and make money out of it.

To be precise, YOU are stupid for using microsoft without turning off all spying settings.

I don't understand the big crying about this "vulnerability". All it allowed was to show a message from the electrum server.
That's nothing security-related at all.

This wouldn't even get a CVSS score of 3 of 10 (i calculated it myself). That's definitely just low severity.

it is 10/10 high risk security. Terrible mistake of a developer

I don't think you know how CVSS works.

Actually.. it doesn't effect:
- Confidentiality
- Integrity
- Availability

The vulnerability doesn't allow the attacker to do anything except just SHOWING A MESSAGE.

That's like sending you an email with the title of "electrum is vulnerable, plz udpate from this very very offcial siite: electrummalware.org/iamstupid/forclickingthis" (mistakes intended)

People like you actually would click on it and install malware 

stupid Legendary
FIRST OF ALL, Legendary, answer these questions:
1. Why Microsoft just let users verify files by hashes?
2. Why Microsoft doesnt recommend users verify files by signature?
3. Microsoft is encouraging poor security behaviour?
4. Microsoft just let users verify files by hashes is "false security"?
5. You and your ThomasV are smarter than Microsoft and Bill Gates?

1. Because it is way easier (especially for non-techy people like you who don't understand anything at all)

2. Because Microsoft has a very very bad security policy

3. Yes

4. Depending on the source of the hashes to verify with, yes

5. I am actually 99.9 % sure that TomasV is smarter than billy gates.

[AltcoinBuilder]

Can anyone recommend a light wallet for btc? Must have a linux version. Multibit was fine but its been abandoned. I have 0 trust in Electrum.

I do have Jaxx and Exodus for scraps but I don't trust these do it all wallets with btc.

most of hardware wallets use electrum for SPV, it is one of the best SPV wallets. just ensure that you download and use original version.

[pooya87]

1. Because it is way easier (especially for non-techy people like you who don't understand anything at all)
2. Because Microsoft has a very very bad security policy

actually Microsoft already has a similar mechanism at work with digital signatures using asymmetric cryptography using RSA keys, where you have to pay and buy a "certificate" if you want to have your applications have that.

but for some reason this user you are arguing with here, doesn't want to accept any reply and keeps pushing for hashes to replace the secure PGP signatures! which will never happen by the way.

[HCP]

but for some reason this user you are arguing with here, doesn't want to accept any reply and keeps pushing for hashes to replace the secure PGP signatures! which will never happen by the way.

One begins to wonder "why" someone would campaign so hard for Electrum to reduce security by switching to using simple hashes for binary file verification?

Perhaps a "long con" to try and get the Electrum devs to help condition less knowledgeable users to implicitly trust file hashes to prove authenticity... so that they can then setup a fake site, with fake .exe and fake hashes to fool users who now believe that file hash = secure. 

Although, I think I'm probably giving some people too much credit.

[pooya87]

but for some reason this user you are arguing with here, doesn't want to accept any reply and keeps pushing for hashes to replace the secure PGP signatures! which will never happen by the way.

One begins to wonder "why" someone would campaign so hard for Electrum to reduce security by switching to using simple hashes for binary file verification?

Perhaps a "long con" to try and get the Electrum devs to help condition less knowledgeable users to implicitly trust file hashes to prove authenticity... so that they can then setup a fake site, with fake .exe and fake hashes to fool users who now believe that file hash = secure. 

Although, I think I'm probably giving some people too much credit.

i think you are giving him too much credit, haha
and as i said above, this will never happen no matter how much he pushes for it. it is too obvious that it is not safe to do that and it has been discussed a very long time ago and Thomas. V. commented on it by the time.

besides if a user is too lazy to check the signature, they are also too lazy to check the hashes so it wouldn't even make any differences! they still have to open their terminal (in Linux) or install an application (in windows) to do the hashes and their verification so the steps are nearly similar!