Electrum replacement needed.

[rokkyroad]

Can anyone recommend a light wallet for btc? Must have a linux version. Multibit was fine but its been abandoned. I have 0 trust in Electrum.

I do have Jaxx and Exodus for scraps but I don't trust these do it all wallets with btc.

[TryNinja]

I have 0 trust in Electrum.

Why? Because of the recent phishing attack?

The Electrum wallet is probably the only SPV wallet I trust. Even with the recent vulnerability, which was “only” showing messages and never really risked anyones funds directly.

[rokkyroad]

I have 0 trust in Electrum.

Why? Because of the recent phishing attack?

The Electrum wallet is probably the only SPV wallet I trust. Even with the recent vulnerability, which was “only” showing messages and never really risked anyones funds directly.

Are you serious? 200 + btc stolen and you downplay it. Come on.

[TryNinja]

Why? Because of the recent phishing attack?

The Electrum wallet is probably the only SPV wallet I trust. Even with the recent vulnerability, which was “only” showing messages and never really risked anyones funds directly.

Are you serious? 200 + btc stolen and you downplay it. Come on.

Yes. I’m not “downplaying” anything. I’m saying that even with the vulnerability, Electrum is pretty safe. If those users didn’t download the fake wallet (or verified the signatures), they wouldn’t have lost anything.

AGAIN, I’m not saying it’s the users’ fault. I’m just saying thet while I consider this a major exploit from the point of making people easily trust the messages, it’s not a direct issue with the code. At the end of the day, Electrum is way far ahead than most other wallets.

[theymos]

Wasabi is probably the next best, though it's certainly missing a ton of features compared to Electrum. Nothing lightweight comes close to Electrum's features.

Wasabi recently passed bitcoin.org's strict criteria for being listed.

[BitMaxz]

You can choose other wallets instead if you don't feel safe on using electrum there are some other options but I'm not sure if which wallet is the safest to use nowadays. You can check some other Linux wallet option from here https://bitcoin.org/en/wallets/desktop/linux/

One of the wallet that I know safe is a green address this is my own alternative wallet but I can not guarantee that this wallet is 100% safe. I haven't experienced any issue yet while you using it. It is good for a temporary wallet while the electrum still in phishing attacks.

[rokkyroad]

Thanks for the suggestions. I'll check out wasabi and greenaddress.

[pooya87]

using a different wallet is never going to solve your security concerns.
you and everyone else have to start following certain security concepts in order to remain safe. two of the most important ones are usage of cold storage and learning how to verify PGP signatures 1 and 2.
for example if you download wasabi wallet and still don't verify its signature with the valid PGP public key you are still not increasing your security!

[Mister1k]

using a different wallet is never going to solve your security concerns.
you and everyone else have to start following certain security concepts in order to remain safe. two of the most important ones are usage of cold storage and learning how to verify PGP signatures 1 and 2.
for example if you download wasabi wallet and still don't verify its signature with the valid PGP public key you are still not increasing your security!

Last hack issue on electrum caused this kind of thinking on having electrum wallet. I see there is no issue on last updated one on electrum. That will be perfect to have since the issue has been solved already.

wasabi is recommended by our admin hence op take it serious and then still there is not security complaints on wasabi so it does not cause the harm to users so security is there.

[bob123]

[...]
AGAIN, I’m not saying it’s the users’ fault.
[...]

Let's be honest.. it was the fault of every single user who fell for this phishing scam.

Nothing is wrong with electrum security-wise. Some malicious electrum server exploited a low-severity-vulnerability in electrum to show a (very unprofessional) message (that's all they could do).

Electrum has never notified user about an update this way.
Each user who fell for this and downloaded the faked wallet without verifying the signature is fully responsible for their own loss.


@OP:
You have 0 trust in electrum, but use jaxx and exodus?
Both of them have already been proven to be exploitable (multiple times) which can easily result in a loss of funds / private keys.

Yet, there only was one severe vulnerability in electrum (the RPC vuln) which also required to have no password set in order to be really exploitable regarding stealing funds / private keys.

[rokkyroad]

Yes, I have a few "scraps" in Jaxx and Exodus. Losing those scraps would not be a hardship. For the record, I did not lose funds from the recent electrum exploit but I am pissed off it happened. It would have been a huge loss for me. So, ya, I dodged a bullet.

Blaming unsuspecting users is not fair. Not everyone is as savvy as you. It's ok to be smug when you're not the ones that got hit.

Why do I keep seeing fresh reports of lost coins if people are being warned via electrums wallet?

There seems to be a concerted effort to downplay the exploit when in fact it was serious shit.

[HCP]

There are still people falling for the "Dear sir, you have won $60million USD in Nigerian State Lottery" emails... there are still people falling for the "Hello, I am calling from Microsoft Security about virus on your computer" phone calls...

Try as hard as you can, you simply cannot protect people from themselves... Unfortunately, some are going to learn "the hard way"™ about security and personal responsibility when dealing with cryptocurrency

Was the recent exploit serious... yes... was it downplayed... No. There was even a "News" link at the top of all Bitcointalk pages by Theymos warning about it when it first happened. The exploit is now weeks old and it has been patched. If users are not updating and not staying up to date when dealing with their personal finances, you cannot blame the software developers for this.

I've said it multiple times... "Be your own bank" also implies "Be your own Bank's security department".

[rokkyroad]

I'm pretty sure the majority of users do not check bitcointalk for wallet warnings. They tend to show up after they're hacked.

Assume the hacked ones downloaded electrum from the proper place and verified the download. I'm sure they never expected a message from the wallet to update, to be anything but above board.

Yes, I agree people should have disregarded the message and went to electrum.org to get and verify the new version. You can't fairly make this a comparison to Nigerian and Microsoft scams. It was unexpected and pretty damned slick.

Its all about trust. No one wants to entrust their bitcoins to dodgy software.

[HCP]

Its all about trust. No one wants to entrust their bitcoins to dodgy software.

Don't trust, verify!

Which is why, regardless of the fact that I always download Electrum from electrum.org... I will always verify the digital signature before installing and using it. I also always check the Electrum website on a semi-regular basis to look for updates.

In my opinion, Electrum isn't "dodgy"... and at the end of the day... the real blame lies at the feet of the scumbags executing these attacks. 

[pooya87]

using a different wallet is never going to solve your security concerns.
you and everyone else have to start following certain security concepts in order to remain safe. two of the most important ones are usage of cold storage and learning how to verify PGP signatures 1 and 2.
for example if you download wasabi wallet and still don't verify its signature with the valid PGP public key you are still not increasing your security!

Last hack issue on electrum caused this kind of thinking on having electrum wallet. I see there is no issue on last updated one on electrum. That will be perfect to have since the issue has been solved already.

wasabi is recommended by our admin hence op take it serious and then still there is not security complaints on wasabi so it does not cause the harm to users so security is there.

that is a dangerous way of thinking.
there are no 100% secure applications. there is always going to be some exploits in every code without an exception. it has been like this for as long as computer programming existed. thinking there is no more issues with Electrum or thinking there is no issues with other wallets is going to result in carelessness and losses.

[Wind_FURY]

For the newbies reading.

Use the Green Address wallet. It uses Segwit addresses that start with a "3" by default. You will not have any problems with compatibility when you're sending coins to a legacy address, unlike Electrum which uses the incompatible Bech32 address format as a default.

https://greenaddress.it/en/

With Green Address, there's no need to generate a BIP39 seed to use in Electrum, in generators like Ian Coleman's, https://iancoleman.io/bip39/

[bob123]

Its all about trust. No one wants to entrust their bitcoins to dodgy software.

Don't trust, verify!

Which is why, regardless of the fact that I always download Electrum from electrum.org... I will always verify the digital signature before installing and using it. I also always check the Electrum website on a semi-regular basis to look for updates.

In my opinion, Electrum isn't "dodgy"... and at the end of the day... the real blame lies at the feet of the scumbags executing these attacks. 

verify what if he doesnt trust the developer?

Simple.. The source code.

Electrum is completely open source.

And if you don't trust the developer, simply check the whole code at github.
You only need to verify the source code once, then after each update you will simply be looking at the commits only to make sure no backdoor whatsoever has been built in.

You can even build it yourself from source if you don't want to download a prebuilt binary.

[bob123]

he doesnt trust developer.

Yes, thats why i have suggested to check the source code.

You can always trust the source code.

Prebuilt binary and source code do the same things (show everything from servers to users, not show security alerts).

Of course they do the same thing. But you are SURE that the program is doing what it is supposed to do.
You are eliminating the risk of the source code and the binary being actually 2 different programs (e.g. prebuilt binary including backdoor).

There is a good reason to "not show security alerts". This offers way too much room for exploitation and would create new potential attack vectors.


Each user IS and SHOULD responsible for his/her own security.
If you are depending on others to tell you when it is safe or not safe to use a software, you are doing something wrong.

So if he wants to build from source code he has to fix source code first but he is not a developer. Solution? "Electrum replacement needed"

There is nothing which needs to be fixed currently.

Also he didn't mention anywhere that he is not a developer, even tho its pretty probable, it's just what you are assuming.


I don't understand the big crying about this "vulnerability". All it allowed was to show a message from the electrum server.
That's nothing security-related at all.

This wouldn't even get a CVSS score of 3 of 10 (i calculated it myself). That's definitely just low severity.

[TryNinja]

-snip-

Who cares about what Microsoft does? Their whole main product is a spyware (Windows). Stop using the “Microsft does” card all the time. We are presenting you FACTS. No expert is going to deny that PGP signatures are WAY safer than hash files verifications. Period.

[TryNinja]

-snip-

Who cares about what Microsoft does? Their whole main product is a spyware (Windows). Stop using the “Microsft does” card all the time. We are presenting you FACTS. No expert is going to deny that PGP signatures are WAY safer than hash files verifications. Period.

uh Legendary you are smarter than Microsoft and Bill Gates

Look at what I found. Where is your god (Bill Gates) now?

The Microsoft Security Response Center uses this PGP key to sign all security notifications and encourages others to use this key when sending sensitive information to us. You should send all security vulnerability reports to secure@microsoft.com.

https://www.microsoft.com/en-us/msrc/pgp-key-msrc