Warning about portable versions

[ThomasV]

Since we now have a subforum for Electrum, I am rewriting here what I already said in other threads. I hope it's more visible in its own thread.

It is not safe to use a portable version of Electrum on an insecure computer!

Don't get me wrong: I am not saying that a portable build is by itself more dangerous than a non-portable version.
However, a portable version does not bring anything more in terms of security. It does not protect you from the computer you are using.
In addition, portable builds encourage dangerous behaviour, because they make it very easy to use your wallet on third party computers, that might be infected with viruses and keyloggers.

I was never enthusiastic about distributing portable versions of Electrum.
I did it because the demand for portable versions was so high that portable builds distributed by third parties were getting popular.
That's the only reason why I accepted to distribute portable builds: I do this in order to avoid an even worse situation.

[coqui33]

Is there a portable 1.7? If so, could you please provide a link?

[ThomasV]

Is there a portable 1.7? If so, could you please provide a link?

not yet, but there should be one soon.

[SebastianJu]

Nice... ill wait for it. Regarding portability... one should be extra cautious when handling values with software. In the end i use portable only on my own pcs, but i prefer software that isnt clawed into one pc and cant be moved to another easily. I mean getting a new pc is a problem then when having some unportable programs. If you have them portable, you simple move the harddisc and you can run your software. Thats why i like portable software and use them if possible somehow.

[SebastianJu]

I now tested the new portable version of electrum 1.7.2 and it works fine. It can run from one directory only. I had to create a shortcut with the -w-tag to specify the electrum.dat that lies in the same directory. The link looks like:

Code:

L:\dirs\Electrum\Electrum-1.7.2-portable.exe -w ".\electrum.dat"

It seems without the -w-tag it will create a new electrum.dat. The -P-Tag doesnt search for electrum.dat in the same dir too. But i didnt test where it would create the electrum.dat. Maybe it only searchs for another filename.
Anyway... i deleted all electrum-files on drive c: and all files in the directory of electrum, except the exe, the link and the electrum.dat. And it works fine when starting with the link. There isnt something created on drive c: anymore.
I only wonder why the oldest transactions are cut and replaced with Pruned transaction outputs. There isnt a setting to change this.

[btcven]

I only wonder why the oldest transactions are cut and replaced with Pruned transaction outputs. There isnt a setting to change this.

When restoring from your seed you need to select a F (full) server to get your entire transaction history.

Also "ThomasV: * Due to an internal format change, your history may be pruned when
  you open your wallet for the first time after upgrading to 1.7.2. If
  this is the case, please visit a full server to restore your full
  history. You will only need to do that once."

https://bitcointalk.org/index.php?topic=50936.msg1667606#msg1667606

[ThomasV]

I only wonder why the oldest transactions are cut and replaced with Pruned transaction outputs. There isnt a setting to change this.

When restoring from your seed you need to select a F (full) server to get your entire transaction history.

please read the release notes for 1.7.2. it is explained there.

[SebastianJu]

Thanks!

[nonsh]

I only use portable versions on own computers. They're easier to backup.

[dabest1]

What is the difference between portable and standalone versions?

[SebastianJu]

What is the difference between portable and standalone versions?

The standalone can be put into a directory and started but the files are stored under c... users... and so on. So its not portably when you take the .exe with you because the wallet lies on the other pc.

[virtualmaster]

Since we now have a subforum for Electrum, I am rewriting here what I already said in other threads. I hope it's more visible in its own thread.

It is not safe to use a portable version of Electrum on an insecure computer!

Don't get me wrong: I am not saying that a portable build is by itself more dangerous than a non-portable version.
However, a portable version does not bring anything more in terms of security. It does not protect you from the computer you are using.
In addition, portable builds encourage dangerous behaviour, because they make it very easy to use your wallet on third party computers, that might be infected with viruses and keyloggers.

I was never enthusiastic about distributing portable versions of Electrum.
I did it because the demand for portable versions was so high that portable builds distributed by third parties were getting popular.
That's the only reason why I accepted to distribute portable builds: I do this in order to avoid an even worse situation.

I like very much Electrum but generally  I  disagree with you.
Surely everything could be used wrong and can create false security feelings.
But generally I consider a portable version more secure and more flexible than an installed one. (if works)
Let us see some concrete examples:
- Skype released a couple of years ago a version which had a reduced functionality than the old one. Once installed the new one it was impossible to put again the old version. It couldn't be found anywhere on the internet. With portable versions you start the new version and if you don't like it then you use again the old one and you can switch as you wish.
- I use Electrum 7.1 portable and it works. Now I downloaded Electrum 8.0 and by starting is giving to me some messages that my wallet doesn't work. Should make a new wallet or repair the old ? I didn't liked any of this options and I started 7.1 again. Otherwise if not backup-ed and installed over who knows what happened with the content of the old wallet.
- I could use Electrum on a computer shared with others. To install it would require administrator priviledges. To ask from the administrator would attract attention on it and could put on risk the coins.
- Electrum is installed on a shared computer. Even in this case I would use my own portable version because on the installed one could be a spyware. Of course a key-logger would be anyway there if installed but that mostly can be fooled with onscreen-keyboard.
- I can have a laptop which is not full-encrypted. A Trucrypt container can be put in the dropbox order(backup is also solved instantly) and there could be not only the wallet but the portable application also. If I have the application outside of the container somebody could boot the laptop from a CD(or access it  from a hacked dropbox account) and install a spyware on the application. So I have more security if the application is also inside of the container.

[novusordo]

It'll be nice when portable hardware wallets like the Trezor become more widespread, then this won't be as much of a concern.

[btcven]

You mean 1.7 and 1.8

.
.
.
- I use Electrum 7.1 portable and it works. Now I downloaded Electrum 8.0 and by starting is giving to me some messages that my wallet doesn't work. Should make a new wallet or repair the old ? I didn't liked any of this options and I started 7.1 again. Otherwise if not backup-ed and installed over who knows what happened with the content of the old wallet.
.
.
.

Running a portable version from an encrypted drive on a infected laptop is dumb. All that security to finally run from a unknown computer that likely has a key logger and a lot of viruses / trojans / spywares... Good luck

[GODLIKE]

Could you add an image based password?
That would make it perfect, probably.

[dabura667]

Could you add an image based password?

What is that?

[SebastianJu]

Could you add an image based password?

What is that?

Using an image file. But i think its risky. The system would know files you often use. If you have a hybrid disc its even easier.

[btcven]

Could you add an image based password?
That would make it perfect, probably.

Be careful with that. The system writes metadata into images (last date opened, last day modified) you will probably lose access to your wallet in a few weeks of use.

[jackjjohnson]

I've been using 1.9.8 (not a portable version) on a Tails USB key. You can funnel it through Tor nodes, but it requires for some kind souls to keep an Electrum server up on a Tor node. Unfortunately the .onion/Electrum servers seem to be infrequent.

If you use the -1 switch, it keeps it from trying other servers.

I consider this to be very secure. You could be on the most infected computer in the world, and it can't touch this. A hardware keylogger would be the only possible way to lose your passwords, and Tails has several virtual keyboards or Keepass that will defeat that.

[SebastianJu]

I've been using 1.9.8 (not a portable version) on a Tails USB key. You can funnel it through Tor nodes, but it requires for some kind souls to keep an Electrum server up on a Tor node. Unfortunately the .onion/Electrum servers seem to be infrequent.

If you use the -1 switch, it keeps it from trying other servers.

I consider this to be very secure. You could be on the most infected computer in the world, and it can't touch this. A hardware keylogger would be the only possible way to lose your passwords, and Tails has several virtual keyboards or Keepass that will defeat that.

Malware could replace the electrum.exe with one that reveals everything. I suggest not to be uncautious.

Why do you need to use onion servers? By using tor you still can use all normal servers. Or do you want to have a server whose location is unknown to authorities?