shamzblueworld (OP)
|
|
January 08, 2018, 01:07:58 PM |
|
So as you can see from the notice above, ( https://bitcointalk.org/index.php?topic=2702103.0 ) Electrum is vulnerable, and has been for quite a while. Its just that they have discovered it now, and also that their first fix wasn't a fix either, that have upgraded it again. I for one am not feeling much better after this upgrade either, because tomorrow maybe another one like this. So is it time to move from electrum to another option? What do you guys think?
|
|
|
|
Lucius
Legendary
Offline
Activity: 3458
Merit: 6236
Crypto Swap Exchange🈺
|
|
January 08, 2018, 01:46:29 PM |
|
So as you can see from the notice above, ( https://bitcointalk.org/index.php?topic=2702103.0 ) Electrum is vulnerable, and has been for quite a while. Its just that they have discovered it now, and also that their first fix wasn't a fix either, that have upgraded it again. I for one am not feeling much better after this upgrade either, because tomorrow maybe another one like this. So is it time to move from electrum to another option? What do you guys think? You should always consider another option,there is many other wallets out there and they are free to use.But if you have some significant amount of BTC or any other altocins every desktop wallet can represent potential threat in any moment.Electrum is fix their vulnerablity in version 3.0.5 and it should be safe to use it now,but as you say they can discover some other vulnerablity next day or in few months/year. Although this vulnerablity could have been full exploited only if user did not set decent password on wallet,and I think that most users of Electrum set password when they install wallet,so except reputations of Electrum there is no major damage to users. Only thing which I can suggest is to seriously consider some hardware wallet,I use my Ledger Nano S in combination with Electrum BTC-It have nice&functional interface and your private keys are always safe inside device.
|
|
|
|
bob123
Legendary
Offline
Activity: 1624
Merit: 2504
|
|
January 08, 2018, 03:14:26 PM |
|
.. Its just that they have discovered it now .. So is it time to move from electrum to another option?
Just because there hasn't been found a vulnerability in a wallet with a lower userbase, it doesn't mean those are safer than electrum.. You can move to another wallet. But the question is what you expect from this wallet. A desktop wallet shouldn't be used to store larger amounts of money anway. It may be easier to exploit this vulnerability.. but generally its easy enough to get malware spread around. So you should never consider your desktop wallet as a safe place to store cryptos. Electrum has a ton of features. Besides core i would not know which has such a variety of functions. Its up to you which wallet you prefer. Electrum in combination with the nano s is an extremely safe way (not vulnerable in this situation) of storing btc and having a ton of features.
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5418
Merit: 13499
|
|
January 08, 2018, 05:33:07 PM |
|
Electrum is still one of my favorite wallets, but you have to understand its limitations:
- Its privacy (and security, to some degree) is inherently bad due to its verification model. - It's written in an interpreted language, which makes me instantly suspicious of its security. - It has a very small team.
I'm OK with using Electrum for smallish amounts, with the assumption that all transactions/BTC in a single Electrum wallet can be trivially linked to each other.
IMO Electrum is still in the top two or three wallets. But although ThomasV is one of the best devs in Bitcoin, and some other wallet devs are also very good, this probably says more about how poor the wallet ecosystem is in general than how great Electrum is. Every wallet is seriously flawed in many ways.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
RGBKey
|
|
January 08, 2018, 05:57:25 PM |
|
Electrum is still one of my favorite wallets, but you have to understand its limitations:
- Its privacy (and security, to some degree) is inherently bad due to its verification model. - It's written in an interpreted language, which makes me instantly suspicious of its security. - It has a very small team.
I'm OK with using Electrum for smallish amounts, with the assumption that all transactions/BTC in a single Electrum wallet can be trivially linked to each other.
IMO Electrum is still in the top two or three wallets. But although ThomasV is one of the best devs in Bitcoin, and some other wallet devs are also very good, this probably says more about how poor the wallet ecosystem is in general than how great Electrum is. Every wallet is seriously flawed in many ways.
Agreed. Just look at Meltdown, it has been a vulnerability in Intel chips for years, and was only now discovered. The two aren't completely analogous, but a mistake/vulnerability free environment isn't likely when you still have humans writing the code.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4363
<insert witty quote here>
|
|
January 09, 2018, 12:03:30 AM |
|
...because tomorrow maybe another one like this.
and who is to say that [insert any bitcoin wallet name here] wallet won't also discover a security vulnerability tomorrow? ... and also that their first fix wasn't a fix either, that have upgraded it again.
Actually their "first fix" WAS a fix... it was just very blunt and simply disabled the unsecure functionality completely, until the devs had time to implement a "proper" fix. Hence why there were "two" upgrades. What is really important to me in situations like this is the response of the devs... which, in my opinion, has been fantastic. Once the issue was identified as being serious, they IMMEDIATELY released a "fix" which helped to secure the wallet, which then gave them time to implement a "clean" fix that enabled them to keep the original JSON-RPC functionality, but secure it properly. They also didn't try to hide anything... it would appear they tried their best to make it known that there was an issue and that people needed to upgrade. Full credit to ThomasV and the Electrum devs. ...this probably says more about how poor the wallet ecosystem is in general than how great Electrum is. Every wallet is seriously flawed in many ways.
#QFT
|
|
|
|
pooya87
Legendary
Offline
Activity: 3668
Merit: 11107
Crypto Swap Exchange
|
|
January 09, 2018, 05:36:32 AM |
|
another option?
ingredients: - pen/pencil for writing: 1
- paper to write on: as much as rquired
- 16-sided hexadecimal dice: 1
- an even ground to roll the dice 64 times: as big as possible!
congratulations you now own a private key. not to get your bitcoin address you need: - some tool to convert the hexadecimal result to a bitcoin address.
- a DVD with live linux to run that tool
now you are only trusting ECDSA and hashes to be safe.
|
|
|
|
hugeblack
Legendary
Offline
Activity: 2730
Merit: 4033
|
|
January 09, 2018, 11:10:59 AM Last edit: May 13, 2019, 02:37:37 AM by hugeblack |
|
why all take Electrum vulnerability seriously (Real Hacking)
I quote this from Reddit @etmetm.
The common vector is javascript code on a malicious website scanning and connecting to the RPC interface for electrum running on localhost. More modern browsers do not allow https (website) to http (RPC) access to localhost, so the attacking website commonly has to be http only as well.
It can only steal funds if your wallet is passwordless, which is not usually the case. It's serious in that RPC can also be used to change settings in the electrum config.
Edit: CORS access https -> http should not work. POST requests from https to http seem to be possible indeed but they should be a lot slower. Brute forcing password will take time (especially on post requests) but good point for really short passwords. You'd need to keep open the attacker webpage for quite a while though. Source : https://www.reddit.com/r/Bitcoin/comments/7ooack/critical_electrum_vulnerability/
|
|
|
|
jossiel
|
|
January 10, 2018, 06:06:44 AM |
|
I've noticed that news either that was discovered by theymos. If you are studying IT or you have been into an IT course, most of your professors or instructors will say that there's no perfect system. But what happened to electrum is that you just need to upgrade the client as suggested to 3.0.5 even you recently upgrade to the last 3.0.4 (which is written above). So is it time to move from electrum to another option?
It's your choice if you want to move. I still trust electrum, it's one of the best wallets that I've used.
|
|
|
|
mpufatzis
|
|
January 10, 2018, 10:13:34 AM |
|
Electrum was vulnerable but not if you used an offline computer as cold wallet and another online (watch only) for the transactions. I think you can still use it this way, it is the safest option. If you have many coins, buy a hardware wallet or for more safety use paper wallets. They are still usable.
|
|
|
|
veleten
Legendary
Offline
Activity: 2016
Merit: 1107
|
|
January 12, 2018, 05:45:46 PM |
|
there is an update available,should be safe from any vulnerability there are not many lightweight,easy to use,user friendly wallets to migrate to electrum can be used to store some funds for day to day transactions I highly doubt hackers would be able to breach your system and even if they do,there will be not much for the taking anyways
|
|
|
|
bitbunnny
Legendary
Offline
Activity: 2912
Merit: 1068
WOLF.BET - Provably Fair Crypto Casino
|
|
January 12, 2018, 07:54:28 PM |
|
I beleive that every wallet have some kind of vulnerability. Those who are popular among many users, like Electrum, are more exposed and hackers are always trying to find the way how to breake the protection. But that doesn't mean that Electrum is bad wallet. Because of potential vulnerabilities is clever to use multiple wallets of multiple types. You can't never be safe enough.
|
|
|
|
Jepli
Member
Offline
Activity: 315
Merit: 10
|
|
January 13, 2018, 03:50:06 PM |
|
Everyone is entitled for an option to use any wallet. But Electrum is still safe and useful we don't need to worry on anything because even if you use other wallets, still there is risk to it if hackers would really want to hack such.
|
|
|
|
faatipoke
Full Member
Offline
Activity: 321
Merit: 100
Token That Will Transform The Venture Capital Mark
|
|
January 20, 2018, 05:03:58 PM |
|
Why people still using Electrum for Bitcoin storage and transaction? I was using Electrum before because Bitcoin price was not high as now, so buying a hardware wallet was not worthy. I had some bitcoin but price of a hardware wallet was almost same as my bitcoin holding value. But now things are changed and bitcoin price increased huge, Bitcoin owners made 20 times in one year, so I expect every Bitcoin owner has money to buy a hardware wallet and it really worth it I can understand only if you are new to Bitcoin and do not have enough Bitcoin to store in a hardware wallet.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4363
<insert witty quote here>
|
|
January 20, 2018, 09:17:01 PM |
|
You realise that you can use Electrum WITH hardware wallets (Trezor and Ledger) right?
I prefer to use it this way, because I like the Electrum interface better than the "Ledger Wallet Bitcoin" and I feel that it gives me more flexibility with coin control and customised fees and "preview" which are not really available in the Ledger chrome app.
|
|
|
|
cryptorampage
Jr. Member
Offline
Activity: 56
Merit: 30
|
|
January 20, 2018, 09:20:15 PM |
|
Yes correct . The vulnerability issue has been on the ticker in the last few weeks . I have not flocked in any problem still . But i think time to move on . For BTC i would rather choose blockchain . Whats will be the ultimate solution ? I still believe on electrum wallet.
|
|
|
|
cipher-x_09
|
|
January 21, 2018, 02:19:31 PM |
|
Which why I prefer to store less money in my online wallet because attack vectors are all over the internet world whether you have a strong or weak password hackers with a special type of abilities can gain easy accessed to your online wallet. Which why for me the safer tactics are first kept lesser amount of money stored in your wallet, the second download another wallet so that your bitcoin will be divided into parts and make sure the password you use for both is something you can easily remember and try writing the password in any paper.
|
|
|
|
cynical
|
|
January 24, 2018, 11:19:48 PM |
|
Interesting read. I take from this thread that electrum is one of the better and widely used desktop type wallets. It like all wallets of its type have flaws, and are fine for smaller bitcoin amounts. The only 3 viable absolute secure options are: paper, cold storage and hardware. ?
|
|
|
|
Spendulus
Legendary
Offline
Activity: 2926
Merit: 1386
|
|
January 25, 2018, 03:35:03 AM |
|
another option?
ingredients: - pen/pencil for writing: 1
- paper to write on: as much as rquired
- 16-sided hexadecimal dice: 1
- an even ground to roll the dice 64 times: as big as possible!
congratulations you now own a private key. not to get your bitcoin address you need: - some tool to convert the hexadecimal result to a bitcoin address.
- a DVD with live linux to run that tool
now you are only trusting ECDSA and hashes to be safe. Or just sit in an outdoor cafe, and write down license plates numbers of passing cars.
|
|
|
|
swogerino
Legendary
Offline
Activity: 3374
Merit: 1248
Bitcoin Casino Est. 2013
|
|
January 25, 2018, 09:03:01 AM |
|
The person behind Electrum is ThomasV which is doing a great work to keep Electrum as safe and secure as possible. As you can read in their website Electrum is run only on donations so you should respect ThomasV work. Electrum is as safe as a hardware wallet when used properly which means to be installed in newly formatted computer. Bugs happen to any software and as ThomasV is only human without supernatural powers he can make errors too. He fixed it in just 2 days and that is a record time.
Of course everyone is free to move from Electrum but so far there is not any other wallet which is free and more secure than Electrum. Since you are worried, a hardware wallet maybe a good option for you if you have made your decision to move away from Electrum.
|
| | | | | | | ███▄▀██▄▄ ░░▄████▄▀████ ▄▄▄ ░░████▄▄▄▄░░█▀▀ ███ ██████▄▄▀█▌ ░▄░░███▀████ ░▐█░░███░██▄▄ ░░▄▀░████▄▄▄▀█ ░█░▄███▀████ ▐█ ▀▄▄███▀▄██▄ ░░▄██▌░░██▀ ░▐█▀████ ▀██ ░░█▌██████ ▀▀██▄ ░░▀███ | | ▄▄██▀▄███ ▄▄▄████▀▄████▄░░ ▀▀█░░▄▄▄▄████░░ ▐█▀▄▄█████████ ████▀███░░▄░ ▄▄██░███░░█▌░ █▀▄▄▄████░▀▄░░ █▌████▀███▄░█░ ▄██▄▀███▄▄▀ ▀██░░▐██▄░░ ██▀████▀█▌░ ▄██▀▀██████▐█░░ ███▀░░ | | | | |
|
|
|
|