Bitcoin Forum
November 09, 2024, 04:15:29 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Electrum Hashes  (Read 426 times)
This is a self-moderated topic. If you do not want to be moderated by the person who started this topic, create a new topic.
grtthegreat
Legendary
*
Offline Offline

Activity: 1246
Merit: 1029



View Profile WWW
December 28, 2018, 06:17:46 AM
 #21

got it. thanks.

any other server guys?

I believe I've seen these servers for long:

Code:
VPS.hsmiths.com
electrum.anduck.net
electrum.be
electrumx.ml
139.162.14.142
185.64.116.15
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 11020


Crypto Swap Exchange


View Profile
December 28, 2018, 06:20:57 AM
 #22

what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

just FYI, there is no risk in connecting to any of those servers with your "real" Electrum wallet. they are in fact Electrum servers and they can't do anything to harm you. the only thing they do is that when you send a transaction they ask you to "click a link" and "download their malicious software". so don't click that link!

other than that, as long as you know this, you don't have to worry about what server you connect to.

but if you are so worried about it, you can not blacklist a server but you can force Electrum to always connect to one server. go to your network window and switch to network tab, deselect automatic connection and choose a server to connect to manually.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
rabbitfairferry
Jr. Member
*
Offline Offline

Activity: 49
Merit: 23


View Profile
December 28, 2018, 09:00:19 AM
 #23

what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.
gizmobuddy (OP)
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile
December 28, 2018, 10:28:58 AM
 #24

what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well?
grtthegreat
Legendary
*
Offline Offline

Activity: 1246
Merit: 1029



View Profile WWW
December 28, 2018, 11:12:39 AM
 #25

what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well?

Former -> You should be fine by connecting to any of those listed above.
Latter -> No, there's nothing as an Official electrum server.
gizmobuddy (OP)
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile
December 28, 2018, 11:21:27 AM
 #26

Request for future- Electrum Technologies GmbH and devs

PLEASE do something about this issue & at the very least run a "Official Electrum Server".
The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys.

Thanks.

HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4361

<insert witty quote here>


View Profile
December 29, 2018, 12:47:58 AM
 #27


PLEASE do something about this issue & at the very least run a "Official Electrum Server".
I don't see any point in that... you're still having to trust a third party... if you REALLY want to trust the Electrum server you connect to, you should set up your own full node and run your own Electrum server.


Quote
The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys.
Personally, I think the issue is being blown out of proportion a little bit...

Electrum is still secure... this was really just social engineering by abusing a feature within Electrum. It still required that the user download, install and run malware.  It's not really that different to buying Google advertising and setting up a fake Electrum website and tricking users into downloading your fake Electrum.

I only ever download Electrum by going to electrum.org, downloading the executable... and then checking the file signatures are legit. That is probably the most crucial step!

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
adaseb
Legendary
*
Offline Offline

Activity: 3878
Merit: 1733


View Profile
December 31, 2018, 07:10:42 AM
 #28

I am actually surprised that the developer doesn't post the hashes for the executables on his website or in the Electrum section of Bitcointalk.

Because I've had issues learning how to verify his signature within Windows. The linux method was easy because you just copy and paste a few commands but getting that windows PGP to verify the signature took a few hours to do correctly.

I guess one reason why could be that with every new updates he would need to update the hashes each and every time, but doing it the PubKey PGP method as he does now, he doesn't need to.
gizmobuddy (OP)
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile
December 31, 2018, 07:50:11 AM
 #29

^ This. Exactly.

At the very least, hashes should be posted on the website or the release.txt
How hard is it? I dont think it will take more then 5 minutes.
Abdussamad
Legendary
*
Offline Offline

Activity: 3682
Merit: 1580



View Profile
December 31, 2018, 09:40:21 AM
 #30

Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 11020


Crypto Swap Exchange


View Profile
January 01, 2019, 04:22:16 AM
 #31

Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
gizmobuddy (OP)
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile
January 01, 2019, 06:09:56 PM
 #32

Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes.
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 11020


Crypto Swap Exchange


View Profile
January 02, 2019, 05:14:59 AM
 #33

Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes.

there is no point in doing that because if you want to be safe you still have to verify the PGP signature of the "hash file" so you still have to have the PGP public key of the developer, know how to verify signatures and have the application for doing that installed.
so why bother with hashes in first place?

not to mention that this model may lead to some lazy people skip the PGP signature verification step and stick to hash verification which is NOT enough for verifying authenticity of a downloaded file. hashes are only used for verifying "integrity" of a downloaded file and there is a big difference between the two concepts.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
bob123
Legendary
*
Offline Offline

Activity: 1624
Merit: 2481



View Profile WWW
January 02, 2019, 09:01:19 AM
 #34

this is scary. does anybody know how to find honest servers?

If you want a server you can completely trust.. set up an own server.

If you don't want to do this, you'll have to trust a server which is controlled by someone you don't know.
Generally this isn't a problem since the server is only used to send transactions and to receive the current balance of your wallet.

If you never click on any links and never download any software, you are fine.

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!