Electrum v3.3.3 Enable update check?

[DireWolfM14]

I noticed something new when I updated to Electrum version 3.3.3 this morning.  When I first opened a wallet in the new version a dialog came up asking if I wanted to enable checking for updates.

After hearing the nightmares that some users have experienced in recent months with malicious update notifications this concerned me.

Does the new version block malicious servers from displaying dialog boxes?  How does the new version implement new version notifications?  Does a link pop up, or allow for auto downloads?

I'm trying to determine if the update checker is safe to use and rely on.  Most of my funds are in cold storage, and some in a Trezor Model T, but I do use Electrum for my hot wallet to transfer funds around.

I downloaded this version from https://electrum.org/#download, which I have bookmarked.  That's the only site from which I've ever downloaded Electrum, and I've checked the signatures, so I'm sure it's safe.

For security reasons we advise that you always use the latest version of Electrum.  Would you like to be notified when there is a newer version of Electrum available?

[TryNinja]

I noticed something new when I updated to Electrum version 3.3.3 this morning.  When I first opened a wallet in the new version a dialog came up asking if I wanted to enable checking for updates.

After hearing the nightmares that some users have experienced in recent months with malicious update notifications this concerned me.

Does the new version block malicious servers from displaying dialog boxes?

Since the last update, malicious customized messages from the servers show as “Unknown error”; so, we are safe from the last exploit.

How does the new version implement new version notifications?  Does a link pop up, or allow for auto downloads?

I assume it only shows that there is a new update in a pop up like this one; then, you must go to the electrum website and download yourself (don’t forget to verify signatures).

I'm trying to determine if the update checker is safe to use and rely on.  Most of my funds are in cold storage, and some in a Trezor Model T, but I do use Electrum for my hot wallet to transfer funds around.

I don’t think this is much of a big deal. You can choose to use it to get the warnings or just check the website every couple of days.

[DireWolfM14]

FYI your wallet only accept new version message if the message is signed with bitcoin address which is hard-coded on Electrum application. So you don't need worry about MITM attack or the server is compromised.

Interesting.  I assume that signature comes from a private key held by the developers?

[TryNinja]

FYI your wallet only accept new version message if the message is signed with bitcoin address which is hard-coded on Electrum application. So you don't need worry about MITM attack or the server is compromised.

Interesting.  I assume that signature comes from a private key held by the developers?

Yes.

This way, no one trying to intercept your traffic can show a fake release message.

[nc50lc]

Since this was added to the latest version: "Automatically check for software updates"
We can assume that the message was only for the fist time opening of v.3.3.3 to enable the option.
Server-side error message that was used by the hacker(s) was now disabled too (#4968), thus not another hack.
(funny how users react to pop-up messages from Electrum)

[pooya87]

I disabled the feature so i don't know the details, but i'm sure there's no auto-download/update.

that is correct. there is no automatic update, the wallet will only show you a message like this:

Code:

There is a new update available
You can download the new version from https://electrum.org/#download

https://github.com/spesmilo/electrum/blob/34c99c3b366ade7adaa919bf1f75d39fe9fcf250/electrum/gui/qt/util.py#L885-L887

Server-side error message that was used by the hacker(s) was now disabled too (#4968), thus not another hack.
(funny how users react to pop-up messages from Electrum)

they are not disabled, you still receive any weird message that the servers send you but in the new version you will only see a predefined message not anything they send you. for example if you receive a malicious message telling you to download the new version from scamsite.org the wallet will show you a message saying "Unknown error"