Transferring BTC from Electrum That Has Not Been Updated?

[jerry0]

I am using electrum 3.0.5.  I still have some amount of btc there as i previously transferred it to a hardware wallet.  I have not tried to open my electrum wallet on my windows laptop for a while after hearing people talk about all the issues with the update and those scams going on. 


1.  First off, if i open my electrum wallet now, will it ask me to update to the newest version via a message?  Or it only will show me this message if i try to send btc?  Or i might not even get this message and i could send the btc?  The other thing is if you do receive this message, i assume you can close that message as say no or x it out?  Is it clicking no or closing the message by x'ing it out?


At the moment, I want to send the btc i have in my electrum to my hardware wallet.  Thus that way, i don't want to use the electrum wallet anymore at least for now.  But i have not opened the program once due to all the issues with electrum.  What is the best method for me to do this right now?



2.  Should i just go to www.electrum.org and download the newest up to date electrum on the website?  As long as you don't download electrum from github or those other links, are you fine?  Someone mentioned that as long as you download it from the official site... you are fine.  Is this true or false?  Because i think i recalled reading that the hacker posted the fake link on their site for a short duration where anyone that downloaded electrum from the official site downloaded that malicious file?  Or is this not true? 

[TryNinja]

1.  First off, if i open my electrum wallet now, will it ask me to update to the newest version via a message?  Or it only will show me this message if i try to send btc?  Or i might not even get this message and i could send the btc?  The other thing is if you do receive this message, i assume you can close that message as say no or x it out?  Is it clicking no or closing the message by x'ing it out?

If you open your wallet and end up selecting a malicious server (server selection is random by default), you will get a fake update message whenever you try to make a transaction. The message itself doesn’t do anything. It’s al a phishing attempt and you will only be affected if you believe the message and download the fake update from a fake website (that isn’t electrum.org)

At the moment, I want to send the btc i have in my electrum to my hardware wallet.  Thus that way, i don't want to use the electrum wallet anymore at least for now.  But i have not opened the program once due to all the issues with electrum.  What is the best method for me to do this right now?

Download the latest version from ELECTRUM.ORG (that’s the ONLY legit website). Those will mitigate the attacks and if you end up connected in a malicious server, it will show only a “unknown error” message instead of the fake update message. Then, just select a different server manually or restart the wallet to connect to another one automatically.

2.  Should i just go to www.electrum.org and download the newest up to date electrum on the website?  As long as you don't download electrum from github or those other links, are you fine?  Someone mentioned that as long as you download it from the official site... you are fine.  Is this true or false?  Because i think i recalled reading that the hacker posted the fake link on their site for a short duration where anyone that downloaded electrum from the official site downloaded that malicious file?  Or is this not true?  

Yes. That’s true. The only vulnerability is the possibility of sending fake messages to the users on their servers, so they can be lured in downloading a malware wallet.

[jerry0]

thanks for that information.  So if there is that fake update message, you can close it just like that by x'ing it?


okay so just to confirm this.  No one here has heard of anyone that went to the real electrum website www.electrum.org and downloaded the program and it being malicious?  I thought i was pretty sure someone mentioned this was a case with a few others?

[jackg]

There aren't any recent cases. It can't hurt to validate the signatures. If you have a phone, you can download electrum and make a watching only wallet, take your computer offline and run electrum. Then click to send the funds to an address, hit preview and sign. Then get thevqr code (between copy and export) and scan it with the send tab on your phone and click broadcast.

Alternatively you can just keep using the old version but I'm not sure if 3.0.5 has the json rpc vulnerability so make sure you hit broadcast. You can get the message on all but the latest versions of electrum desktop, it doesn't appear at all on android electrum though if it's not much...

[joniboini]

No one here has heard of anyone that went to the real electrum website www.electrum.org and downloaded the program and it being malicious?  I thought i was pretty sure someone mentioned this was a case with a few others?

It's a false positive (if you're talking about the installer being identified as a virus). You can always verify the files though, and make it your regular practice if you're in crypto in order to increase your security. You can also check out the official GitHub and verify the code/build it by yourself if you don't trust the official website (though I don't find any reason to do so).

Vulnerabilities that recently being mentioned/surfaced can be avoided easily if users have enough awareness and always verify any files before they use it.

[jerry0]

Well i dont know how to do the verification etc.  Someone mention this and this is confusing for someone that is not computer savy.


But has there been any case of anyone that has downloaded electrum from the official www.electrum.org site and had an issue? 

[nc50lc]

-snip-
But has there been any case of anyone that has downloaded electrum from the official www.electrum.org site and had an issue?  

So far, no one.
But you might wanna double-check if it was bookmarked or a google search result, there has been a fake site with Big letter i for an "L" like this: eIectrum; users who don't use serif fonts wont notice the difference.

[DireWolfM14]

1.  First off, if i open my electrum wallet now, will it ask me to update to the newest version via a message?

No.

Or it only will show me this message if i try to send btc?

If your transaction happens to be accepted by one of the compromised servers, yes.

Or i might not even get this message and i could send the btc?

Yes, this is the most likely outcome.

The other thing is if you do receive this message, i assume you can close that message as say no or x it out?  Is it clicking no or closing the message by x'ing it out?

Yes, that also works.

Should i just go to www.electrum.org and download the newest up to date electrum on the website?

That's what I would do.  Only download Electrum from https://electrum.org/#home.

If you are concerned about the safety of using electrum, keep in mind; your security is your responsibility.  If I were you, I would do as you've described in your second point; update to the latest version before accessing your wallet.  

But before you install the latest version of electrum learn to verify the signature.  Learning to check the signature, and doing so every time you download an updated version should put your mind at ease when using electrum.  It really is one of the best desktop wallets to use, and it's worth learning to use it safely.

For verifying the download I use Gpg4win.

[pooya87]

okay so just to confirm this.  No one here has heard of anyone that went to the real electrum website www.electrum.org and downloaded the program and it being malicious?  I thought i was pretty sure someone mentioned this was a case with a few others?

there are two problems here.
1. you may think you are visiting the real website but you really aren't. for example your browser might have redirected you to a similar looking website as @nc50lc explained above and you may not notice it.
2. the website may be compromised. it is just a website after all, and not immune to hacks. a hacker might have injected a malicious software there.

so what is the solution you ask?
it is pretty simple, get in the habit of verifying PGP signatures of whatever you download with the real public key of the developer.
what i mean by "real" is about the concept of "web of trust". in short it is about gaining the public key in a way that it can't be faked. like asking a friend to send the key via SMS, physical mail or sign it with his own public key which you already have. or at the very least checking multiple sources to see if the key you see on the website is the same as you see elsewhere like on Github,... this is the key by the way: 0x2BD5824B7F9470E6

[jerry0]

How do i verify the pgp signature is legit before i download it?  Do i need to right click it or what do i need to do to make sure the link is legit?  Again this is complicated for someone like me that isn't that computer savy.  Though using electrum would be considered tech savy for most users.


Well if i manually type in the website in my address bar on chrome


www.electrum.org


And then click enter... that is still not safe?  When i type in electrum on google, i see an electrum.org link on the first one showing and am sure that is the legit one as i have clicked on that link before a while back when i did an update.



Thanks.

[jerry0]

You say if i try to send the btc and the server im using is compromised, then yes i would get that message to update electrum.  But i also have the option to x the message right and cancel the transaction?  But most likely the outcome is when i try to send btc now, i won't get the message?

[Abdussamad]

Here's a guide to verifying the gpg sig. I suggest you update your electrum from electrum.org. That way the only problem you might face is difficulty spending bitcoins at which point you can simply switch servers and try again.

[Lucius]

You say if i try to send the btc and the server im using is compromised, then yes i would get that message to update electrum.  But i also have the option to x the message right and cancel the transaction?  But most likely the outcome is when i try to send btc now, i won't get the message?

Since you are still using 3.0.5 version there is a possibility that such message can pop up if you are connected to bad server. But there is no danger to your transaction, only danger is if you follow link posted in message and download fake Electrum. Problem is solved in latest version 3.3.3, instead of   
receiving such messages, user can only get error message if it is connected to a bad server.

it is funny those servers are still there to have questions like this (where are you electrum developers why bad servers are still in the servers list for users to connect to?).

I think developers can not remove bad servers from server list, everyone can set up server and there is no way to determine which one is bad or good. Even if they remove them, hackers can add more new severs much faster than they can be removed. In short, Electrum is not perfect wallet.

[jerry0]

Hey all.  So just to confirm.  Would it just be fine right now if i open electrum 3.0.5 as is and then try to send the remaining btc i have in my wallet to somewhere else?  But if i get that message, then i close it.  Then i close electrum.  Then go to the official electrum site and download electrum? 



Right now i just want to get any btc i have in electrum out of it and do not want to use it until later on when there is very little concerns on it.



Also the message that does pop up if it gives you that message, is it a link where if you click on it, it automatically downloads it?  So if you click on it by accident, could you still immediately cancel the download or once you click on that link, that is it?  Or do you have to download it fully and also go through the installation process? 

[TryNinja]

Hey all.  So just to confirm.  Would it just be fine right now if i open electrum 3.0.5 as is and then try to send the remaining btc i have in my wallet to somewhere else?  But if i get that message, then i close it.  Then i close electrum.  Then go to the official electrum site and download electrum?  

You should just download the latest version right now. If for some reason you want to keep using 3.0.5, ignore the message and restart Electrum to get a new server or change it manually.

Right now i just want to get any btc i have in electrum out of it and do not want to use it until later on when there is very little concerns on it.

Nothing bad will happen unless you download the fake Electrum.

Also the message that does pop up if it gives you that message, is it a link where if you click on it, it automatically downloads it?  So if you click on it by accident, could you still immediately cancel the download or once you click on that link, that is it?  Or do you have to download it fully and also go through the installation process?  

Just download the latest version. Why try to send anything with the vulnerable version?

And no, it’s not a “click and you’re doomed” thing. You would have to download and run it.

[Lucius]

Hey all.  So just to confirm...

There is no danger for your coins even if you use Electrum 3.0.5, that message may appear, but it certainly does not affect security of the wallet. Only danger is if you click on link posted in that message and manually download fake wallet, nothing happens automatically.

If that message appear just close it with x, and then change server by click on Tools -> Network -> Select any other server -> Untick option "Select server automatically". Check post from Abdussamad if you need more detailed explanation (with pictures).

[DireWolfM14]

For verifying the download I use Gpg4win.

gpg4win has a signature to verify file? Or how to verify gpg4win?

Lol, you need to install it before you can validate it. 

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.

[TryNinja]

Lol, you need to install it before you can validate it.  

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.

Please don’t... all that the AVs do is check for malware signatures. This means that if a piece of software doesn’t have a signature that matches with one in their database, it won’t flag as a virus. This doesn’t say sh*t about the legitimacy of a software.

You could use a fake version of gpg4win that shows a specifc software signature as legit even if its not and it wouldn’t be flagged by your AV.

Btw, Electrum is commonly flagged as a trojan by many AVs. Does that mean I should “stop”?

[pooya87]

For verifying the download I use Gpg4win.

gpg4win has a signature to verify file? Or how to verify gpg4win?

Lol, you need to install it before you can validate it. 

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.

i believe he is talking about checking the signature of GPG4Win itself as like any other application this .exe file is also being released with a signature. like this is for the last version: https://files.gpg4win.org/gpg4win-3.1.5.tar.bz2.sig
so verifying its signature looks a bit odd since the application you use for signature verification is the same thing you want to verify! here is the documentation for how to do it though: https://www.gpg4win.org/package-integrity.html

you can also check it using Linux since most of them already come with GPG installed.

[Abdussamad]

Here's a guide to verifying the gpg sig. I suggest you update your electrum from electrum.org. That way the only problem you might face is difficulty spending bitcoins at which point you can simply switch servers and try again.

gpg4win has a signature to verify file? Or how to verify gpg4win?

They use code signing. More details here: https://www.gpg4win.org/package-integrity.html