Client feature request, no private keys in server logs.

[Slumberwatcher]

Sorry for the cryptic subject.

I was curious and wanted to try to run an electrumx-server.

Got things up and running and everything seems to work ok, but I noticed some strange error-messages:

Nov 19 02:38:27 tv electrumx_server.py[23874]: INFO:ElectrumX:[2269] too many errors, last: 5HpH(removed)h9bY is not a valid address

(The (removed) is put there by me since it is a complete private key.)

Most of the errors are empty or contain some kind of base64-encoded string. But what is scary is that some (8 so far) has been valid private keys from random users. I don't know if these are keys that are in use or if it is just random data that happen to look like keys.

So, this is my feature request for the electrum client (not the server). If it would be possible to check and refuse/give a warning if you try to send something that looks like a private key to the server.

[1714591648]

1714591648

[1714591648]

1714591648

[1714591648]

1714591648

[Abdussamad]

Are you saying users are querying your server manually using the electrum console? If that is the case then they are advanced users and should be left to their own devices. Otherwise electrum doesn't send private keys to servers during normal operation. It wouldn't be a secure client if it did that.

One other thing. Private keys starting with 5 are for uncompressed addresses. Electrum stopped creating those with version 2.0. Make of that what you will.

[Slumberwatcher]

I assumed (naively) that they were using the gui-client and maybe had managed to cut n'paste a private key into the wrong field.

Just got a bit spooked when I saw these things in my server log since I know the client never ever should send those.

But as you say, if people sends private keys it is their problem. It still bothers me that they are testing my morals.