Bitcoin Forum
August 17, 2019, 11:55:22 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: How safe are my funds?  (Read 147 times)
JoeyBagga
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
August 07, 2019, 04:19:56 PM
 #1

I downloaded the Electrum wallet from the correct website a few months ago. I verified that I can indeed send funds to and from my wallet successfully. Currently running version 3.3.3.

I have yet to experience the phishing popup.

Are my funds safe as long as I stay away from any phishing scheme?

Using Electrum as my long term storage, so if anything I will be mostly sending funds periodically to the account.

Thanks!
1566086122
Hero Member
*
Offline Offline

Posts: 1566086122

View Profile Personal Message (Offline)

Ignore
1566086122
Reply with quote  #2

1566086122
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
BitCryptex
Hero Member
*****
Offline Offline

Activity: 672
Merit: 957


Write @BitCryptex or quote my post to notify me


View Profile WWW
August 07, 2019, 04:25:27 PM
 #2

Are my funds safe as long as I stay away from any phishing scheme?

Yes, your funds will be safe as long as you don't fall for the phising you mentioned. If you decide to update it then download it from the official website and verify the signature just to be sure. However, there is no need to do so if you don't use your wallet on a daily basis.

JoeyBagga
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
August 07, 2019, 04:28:48 PM
 #3

Thank you for your reply.

I needed to have that peace of mind.

Can you point to any resources that can help me with the signature verification if I do decide to upgrade?
BitCryptex
Hero Member
*****
Offline Offline

Activity: 672
Merit: 957


Write @BitCryptex or quote my post to notify me


View Profile WWW
August 07, 2019, 04:31:38 PM
 #4

Can you point to any resources that can help me with the signature verification if I do decide to upgrade?

This short guide seems to be accurate. If you need any help or encounter any problems, feel free to post here. Check Electrum changelog from time to time in case a major vulnerability is fixed in an update.

Royse777
Hero Member
*****
Offline Offline

Activity: 784
Merit: 820


On SALE: https://bit.ly/33avSYu


View Profile
August 07, 2019, 04:43:14 PM
 #5

Some addition to BitCryptex,
OP why not use the latest version?

I mean:

- Downland the latest version from their official site: https://electrum.org/#download
- Verify the downloaded file before installing (very important step): https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
This is the PGP from ThomasV: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
- Now install the file.

Remember to keep your wallet file backed up in different folder or any other harddrive. Best is, to keep the seeds safe to restore the wallet. Without backing up the wallet files or seed in a safe place do not take the risk of uninstalling the Electrum software.

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░████████████▄▄░░░░░░░░░░░░░░░░░
░░░░░███░░░░░░░░▀███░░░░░░░░░░░░░░░░
░░░░░███░░░░░░░░░███░░░░░░░░░░░░░░░░
░░░░░███░░░░░░░░▄██▀░░░░░░░░░░░░░░░░
░░░░░███████████████████████████░░░░
░░░░░███░░░░░░░░▀██▄░░░███░░░░░░░░░░
░░░░░███░░░░░░░░░███░░░███░░░░░░░░░░
░░░░░███░░░░░░░░▄███░░░███░░░░░░░░░░
░░░░░████████████▀▀░░░░███░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░███░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░███░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░███░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
.BitTrade.
████
████
████
████
████
████
████
████
████
████
████
████
████
████
████
████
⬤ Stock Market
⬤ Bonds
⬤ Currencies
⬤ Gold
⬤ NBA
⬤ NFL
JoeyBagga
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
August 07, 2019, 05:42:27 PM
 #6

Great point. I suppose there is no reason to keep this old version running even though it is pure at the moment.

I have the seed backed up safely but do not understand what you mean by keeping the wallet file backed up.

Thanks for the feedback.  Grin
TryNinja
Legendary
*
Offline Offline

Activity: 1106
Merit: 1418


CS <3


View Profile
August 07, 2019, 05:51:34 PM
 #7

Great point. I suppose there is no reason to keep this old version running even though it is pure at the moment.

I have the seed backed up safely but do not understand what you mean by keeping the wallet file backed up.
He meant the wallet file that is stored on %appdata%/Electrum/wallets. But don't worry. Your seed is more than enough to recover the wallet if anythings happens (it "regenerates" the wallet file).

Try to always keep it update and make sure to always verify the file signatures[1] before installing a new version.

[1] https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

harizen
Legendary
*
Offline Offline

Activity: 1624
Merit: 1145


View Profile
August 07, 2019, 06:01:37 PM
 #8

Using Electrum as my long term storage, so if anything I will be mostly sending funds periodically to the account.

Just want to add that since you decided to used Electrum as your long term storage, there might be a time that you won't check your wallet for a while. Yes, idle for quite some time.

In that case, always check Electrum updates, if any, at the main site just to keep you updated on what's happening. Not regularly but at least occasionally. Recently, lots of Electrum users I believed got phished because of lack of information. Those are users who didn't touch their Electrum for a while.

JoeyBagga
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
August 07, 2019, 06:19:03 PM
 #9

Excellent advice. 100%.
pooya87
Legendary
*
Offline Offline

Activity: 1736
Merit: 1801



View Profile
August 08, 2019, 03:49:34 AM
 #10

whenever you download binaries of an application that is security sensitive you have to only worry about two things:
1. how much you trust developer's and their code.
this trust can increase if the builds are deterministic (which i believe Electrum is) and when others are building and confirming the hashes like what bitcoin core does.

2. how to acquire the real PGP public key of the developer releasing the binaries.
https://en.wikipedia.org/wiki/Web_of_trust

everything else is meaningless. for example even if you download from actual electrum.org website you still shouldn't trust what you received.

Lucius
Legendary
*
Offline Offline

Activity: 1512
Merit: 1283


Fortis Fortuna Adiuvat


View Profile WWW
August 08, 2019, 09:55:47 AM
 #11

JoeyBagga, no matter if you use Electrum for long-term storage or for daily use, you should update to latest version, because that would be good security practice. There is no point in having something on your computer that poses a security risk, and the official announcement on Electrum is :

Warning: Electrum versions older than 3.3.4 are susceptible to phishing. Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures.

If you need extra help with verifying signature, this video can help : Verifying Electrum Download Signatures via GPG4Win.

Pmalek
Legendary
*
Offline Offline

Activity: 1036
Merit: 1130



View Profile
August 08, 2019, 10:17:43 AM
 #12

Warning: Electrum versions older than 3.3.4 are susceptible to phishing. Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures.
Didn't it used to be versions older than 3.3.3 before? They seem to have changed this sometimes in the past to 3.3.4.
So in theory even users with version 3.3.3 (like OP in this case) could receive the phishing messages!?

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
bob123
Legendary
*
Offline Offline

Activity: 994
Merit: 1382



View Profile WWW
August 08, 2019, 11:10:36 AM
Merited by Pmalek (1)
 #13

Warning: Electrum versions older than 3.3.4 are susceptible to phishing. Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures.
Didn't it used to be versions older than 3.3.3 before? They seem to have changed this sometimes in the past to 3.3.4.
So in theory even users with version 3.3.3 (like OP in this case) could receive the phishing messages!?

AFAIK, the vulnerability was found in 3.3.2 and the update to 3.3.3 didn't completely fix the issue.
So 3.3.4 was the first version which is safe against those phishing message shown by the electrum server.

Therefore, such a message can be shown in 3.3.3, yes.


But since the current version is 3.3.8, no one should actually be using 3.3.3. Unfortunately this is not the case yet.

TryNinja
Legendary
*
Offline Offline

Activity: 1106
Merit: 1418


CS <3


View Profile
August 08, 2019, 12:22:44 PM
Merited by Pmalek (1), bob123 (1)
 #14

AFAIK, the vulnerability was found in 3.3.2 and the update to 3.3.3 didn't completely fix the issue.
So 3.3.4 was the first version which is safe against those phishing message shown by the electrum server.

Therefore, such a message can be shown in 3.3.3, yes.

But since the current version is 3.3.8, no one should actually be using 3.3.3. Unfortunately this is not the case yet.
3.3.2 made the messages render as plain text.
3.3.3 fixed the exploit.

Quote
# Release 3.3.3 - (January 25, 2019)

 * Do not expose users to server error messages (#4968)
 * Notify users of new releases. Release announcements must be signed,
   and they are verified byElectrum using a hardcoded Bitcoin address.
 * Hardware wallet fixes (#4991, #4993, #5006)
 * Display only QR code in QRcode Window
 * Fixed code signing on MacOS
 * Randomise locktime of transactions


# Release 3.3.2 - (December 21, 2018)

 * Fix Qt history export bug
 * Improve network timeouts
 * Prepend server transaction_broadcast error messages with
   explanatory message. Render error messages as plain text.
From: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

bob123
Legendary
*
Offline Offline

Activity: 994
Merit: 1382



View Profile WWW
August 08, 2019, 12:33:08 PM
 #15

3.3.2 made the messages render as plain text.
3.3.3 fixed the exploit.

You are right, but this makes me wonder why electrum states that versions < 3.3.4 (including 3.3.3) are vulnerable to the phishing message.

Maybe that's just a typo on their website ?

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1470
Merit: 1288


https://bit.ly/2FR9nyn - free python tutorials


View Profile
August 08, 2019, 12:49:08 PM
 #16

3.3.2 made the messages render as plain text.
3.3.3 fixed the exploit.

You are right, but this makes me wonder why electrum states that versions < 3.3.4 (including 3.3.3) are vulnerable to the phishing message.

Maybe that's just a typo on their website ?

I thought that the problem got fixed but it just stopped showing error messages altogether until they could work out how to get it to show them? So it wasn't actually a permenant fix and I'd say that means it was probably still affected by the attack (because of the usability difference).



There's noting in the changelog actually for 3.3.4. For 3.3.3, there's this: " * Do not expose users to server error messages (#4968)"


Lucius
Legendary
*
Offline Offline

Activity: 1512
Merit: 1283


Fortis Fortuna Adiuvat


View Profile WWW
August 09, 2019, 10:24:49 AM
 #17

Electrum if fixed problem with phishing message even in 3.3.2, not in a way that is stop that message to pop up, but just by formating that message to not show clickable phishing link. I think that version 3.3.3 is still show that message, but only as "Unknown Error", and version 3.3.4 has finally become completely immune on this attack.

Because of that Electrum is have such info on their site, all versions older then 3.3.4 is not considered safe.

bitmover
Hero Member
*****
Offline Offline

Activity: 574
Merit: 957



View Profile
August 09, 2019, 11:06:50 AM
 #18

Your funds are safe, but if they are stored in your daily computer I would be a bit paranoid (if I hold large amounts). You may click a phishing some day and get infected by malware, many things can happen.

Did you consider buying a hardware wallet? They are cheap now (ledger nano s and trezor one), and will make your funds much safer. I needed that peace of mind, and I am very happy with mine.

They are both compatible with Electrum.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!