is notifying users about new versions within the wallet a good idea?

[pooya87]

I have always wondered why wallets aren't doing this already, specially with vulnerabilities that are found in all of them from time to time which would require immediate updates in some rare cases.
recently Electrum added this [optional] feature in its latest release [1][2], that made me want to start a discussion about pros and cons of doing something like this.

[1] https://github.com/spesmilo/electrum/commit/34c99c3b366ade7adaa919bf1f75d39fe9fcf250
[2] https://github.com/spesmilo/electrum/commit/0bfda7c8c74757d261bbc7e24eee44fa09965e85

[1714012456]

1714012456

[Pmalek]

Yes, that option should certainly be available if you ask me. The users should be able to check if there are new updates available from the wallet interface and have an option to download the newest version. A warning message in the form of: 'Warning you are using an outdated version, for your own safety, please update to the newest version', should also be visible.

[ABCbits]

Single point of failure attack is serious cons, all attacker need to do either :
1. Take control over server to give malicious application or information
2. Launch DoS attack to prevent user know important update. This is really dangerous when it's combined with social engineering (such as fake update message few weeks/months ago)
3. User could be targeted specifically with MITM attack to perform another attack

Additionally, it brings false sense of security to regular users.

[DooMAD]

If it can be implemented with zero potential for hackers to redirect users to an infected or otherwise malicious download, then I suppose the option is okay.  But, personally, I'd rather just encourage users to take responsibility and make their own decision on which version they should be using.

[buwaytress]

Wasn't the latest Electrum update precisely because people were getting in-wallet messages from malicious nodes telling them to upgrade to a (fake) new version?

I think it's a great idea and one that should be done, if not already, but if users can't verify the authenticity of the message (and the comments on GH show even old users fell for that afore-mentioned trick!)... then it's just one more attack vector to my mind, or should we insist users always authenticate messages and builds?.

But yeah, there have been past critical upgrades that I wouldn't have known of if I didn't either visit this forum daily (I remember the past 2 or 3 Electrum vulnerabilities mentioned in the "News" line where the Latest Bitcoin Core release usually is) or check Electrum GH regularly.

[KingZee]

Wasn't the latest Electrum update precisely because people were getting in-wallet messages from malicious nodes telling them to upgrade to a (fake) new version?

I think it's a great idea and one that should be done, if not already, but if users can't verify the authenticity of the message (and the comments on GH show even old users fell for that afore-mentioned trick!)... then it's just one more attack vector to my mind, or should we insist users always authenticate messages and builds?.

But yeah, there have been past critical upgrades that I wouldn't have known of if I didn't either visit this forum daily (I remember the past 2 or 3 Electrum vulnerabilities mentioned in the "News" line where the Latest Bitcoin Core release usually is) or check Electrum GH regularly.

Open-source software updates usually aren't some sort of notification initiated from the source. The software itself pings the repository for any new releases. So as long as you're 100% sure it's pinging the right link, a.k.a the software installed was downloaded from the original repo with no modification, there are very few attack vectors.

The latest electrum breach was NOT through messages initiated by the software. It was a feature already existing in Electrum, electrum nodes always had the ability to send messages to clients, just recently they're trying to push a version that slightly changes that, not disabling it, but removing rich-text features, and maybe explaining that the message doesn't come from the software but from the node.

I don't think it's a bad idea to implement automatic version updates for all wallets, but it might not be an easy task. Maybe for UNIX based systems, it's super easy to add a repo source and apt-update every time there's something new, but for windows operating systems you'd need to code the whole thing and integrate it into the software.

[pooya87]

i want to have the discussion in general terms not focused on Electrum, but for what it is worth the notification is not an unsolicited message that you receive from some server, it is you yourself doing the check for update but automatically and in the background. i explained how it works here https://bitcointalk.org/index.php?topic=5095856.msg49442064#msg49442064
but basically it is you going to the official website and look to see if there is a new release. on top of that, the message you receive is signed with a bitcoin private key coming from 13xjmVAB1EATPP8RshTE8S8sNwwSUM9p1P which is hardcoded. so if the electrum.org website was compromised some day, you still wouldn't get valid responses when you check for updates because the key to that address also has to be compromised.

[Artemis3]

I have always wondered why wallets aren't doing this already, specially with vulnerabilities that are found in all of them from time to time which would require immediate updates in some rare cases.
recently Electrum added this [optional] feature in its latest release [1][2], that made me want to start a discussion about pros and cons of doing something like this.

[1] https://github.com/spesmilo/electrum/commit/34c99c3b366ade7adaa919bf1f75d39fe9fcf250
[2] https://github.com/spesmilo/electrum/commit/0bfda7c8c74757d261bbc7e24eee44fa09965e85

If this is implemented PLEASE add an option to disable it. This is only needed with insecure OSes that can't keep its programs updated.., its more nags to get out of the way, part of the bad habit certain OS users get into (so many nag windows they want out of the way without reading).

The same thing applies to everything, from browsers to anything installed, now imagine everytime you open a program you get that nag.. Eww, and yes, i know some people in certain OS are already so much used to it, that they quickly close without reading, else they wouldn't be able to do any job done...

Your antivirus definitions are out of date, Wallet version x.y.z is out, Your Officesuit subscription expired, yadda, yadda, yadda...

[ABCbits]

i want to have the discussion in general terms not focused on Electrum, but for what it is worth the notification is not an unsolicited message that you receive from some server, it is you yourself doing the check for update but automatically and in the background. i explained how it works here https://bitcointalk.org/index.php?topic=5095856.msg49442064#msg49442064
but basically it is you going to the official website and look to see if there is a new release. on top of that, the message you receive is signed with a bitcoin private key coming from 13xjmVAB1EATPP8RshTE8S8sNwwSUM9p1P which is hardcoded. so if the electrum.org website was compromised some day, you still wouldn't get valid responses when you check for updates because the key to that address also has to be compromised.

Then it's similar with Alert System that Bitcoin Core used few years ago & IMO it's good solution for SPV wallet since the real risks are only private key of that address is compromised or the developer gone rogue. It's even better if Electrum Server also can share JSON message to users just in case the server is down or DDoS'ed.

But it's not ideal solution for full nodes wallet/client due to similar reason why Alert System is abandoned.

If this is implemented PLEASE add an option to disable it. This is only needed with insecure OSes that can't keep its programs updated.., its more nags to get out of the way, part of the bad habit certain OS users get into (so many nag windows they want out of the way without reading).

Don't worry, there's option to disable/enable it and user is asked to disable/enable it after install/upgrade Electrum.

[squatter]

It's like the alert system in early Bitcoin versions -- good intent, but introduces new opportunities for social engineering. Users need be cognizant of the fact that we're using Beta software and that critical bugs will happen. They need to stay informed.

I can't help but echo ETFbitcoin's sentiment that this would create a false sense of security for regular users.

[pooya87]

it is not like bitcoin core's alert system though, it seems similar but it is not the same. because of a simple but key difference:
- in the bitcoin core alert system if you had the key you could send ANY kind of message to the users because the message had a custom body which you could place anything in it. for example you could send them a message saying "come to MyScamSite.com and download newest version.
- in this there is no message. there is a hard coded website address which is the official electrum.org site. the message is also predefined, it just checks a value, it is not a custom message and it doesn't show it to the user. instead it shows another hard coded message indicating whether you are up to date or not.

[Carlton Banks]

in this there is no message. there is a hard coded website address which is the official electrum.org site. the message is also predefined, it just checks a value, it is not a custom message and it doesn't show it to the user. instead it shows another hard coded message indicating whether you are up to date or not.

It would still add a centralised point of failure; there'd have to be a website domain to serve the new version numbers from, keep the servers very secure (time and effort) and choose admins carefully for the long term (and on a technical note, Bitcoin would need to keep OpenSSL to authenticate the website's certificate, while the core devs are actually quite close to removing OpenSSL becaue they see that library as a bug-prone security risk that isn't worth taking long term). That's adding alot of resources for not much gain, because...

....the sort of people targeted by this kind of hand-holding are the same type of people who will just click on anything to stop it getting in their way. Including update notifications, however important the update may be.

Decentralisation in part means personal responsibility. Better we stick with that, IMO