Electrum Hashes

[grtthegreat]

got it. thanks.

any other server guys?

I believe I've seen these servers for long:

Code:

VPS.hsmiths.com
electrum.anduck.net
electrum.be
electrumx.ml
139.162.14.142
185.64.116.15

[pooya87]

what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

just FYI, there is no risk in connecting to any of those servers with your "real" Electrum wallet. they are in fact Electrum servers and they can't do anything to harm you. the only thing they do is that when you send a transaction they ask you to "click a link" and "download their malicious software". so don't click that link!

other than that, as long as you know this, you don't have to worry about what server you connect to.

but if you are so worried about it, you can not blacklist a server but you can force Electrum to always connect to one server. go to your network window and switch to network tab, deselect automatic connection and choose a server to connect to manually.

[rabbitfairferry]

what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

[gizmobuddy]

what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well?

[grtthegreat]

what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well?

Former -> You should be fine by connecting to any of those listed above.
Latter -> No, there's nothing as an Official electrum server.

[gizmobuddy]

Request for future- Electrum Technologies GmbH and devs

PLEASE do something about this issue & at the very least run a "Official Electrum Server".
The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys.

Thanks.

[HCP]

PLEASE do something about this issue & at the very least run a "Official Electrum Server".

I don't see any point in that... you're still having to trust a third party... if you REALLY want to trust the Electrum server you connect to, you should set up your own full node and run your own Electrum server.

The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys.

Personally, I think the issue is being blown out of proportion a little bit...

Electrum is still secure... this was really just social engineering by abusing a feature within Electrum. It still required that the user download, install and run malware.  It's not really that different to buying Google advertising and setting up a fake Electrum website and tricking users into downloading your fake Electrum.

I only ever download Electrum by going to electrum.org, downloading the executable... and then checking the file signatures are legit. That is probably the most crucial step!

[adaseb]

I am actually surprised that the developer doesn't post the hashes for the executables on his website or in the Electrum section of Bitcointalk.

Because I've had issues learning how to verify his signature within Windows. The linux method was easy because you just copy and paste a few commands but getting that windows PGP to verify the signature took a few hours to do correctly.

I guess one reason why could be that with every new updates he would need to update the hashes each and every time, but doing it the PubKey PGP method as he does now, he doesn't need to.

[gizmobuddy]

^ This. Exactly.

At the very least, hashes should be posted on the website or the release.txt
How hard is it? I dont think it will take more then 5 minutes.

[Abdussamad]

Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

[pooya87]

Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

[gizmobuddy]

Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes.

[pooya87]

Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes.

there is no point in doing that because if you want to be safe you still have to verify the PGP signature of the "hash file" so you still have to have the PGP public key of the developer, know how to verify signatures and have the application for doing that installed.
so why bother with hashes in first place?

not to mention that this model may lead to some lazy people skip the PGP signature verification step and stick to hash verification which is NOT enough for verifying authenticity of a downloaded file. hashes are only used for verifying "integrity" of a downloaded file and there is a big difference between the two concepts.

[bob123]

this is scary. does anybody know how to find honest servers?

If you want a server you can completely trust.. set up an own server.

If you don't want to do this, you'll have to trust a server which is controlled by someone you don't know.
Generally this isn't a problem since the server is only used to send transactions and to receive the current balance of your wallet.

If you never click on any links and never download any software, you are fine.