How safe are my funds?

[JoeyBagga]

I downloaded the Electrum wallet from the correct website a few months ago. I verified that I can indeed send funds to and from my wallet successfully. Currently running version 3.3.3.

I have yet to experience the phishing popup.

Are my funds safe as long as I stay away from any phishing scheme?

Using Electrum as my long term storage, so if anything I will be mostly sending funds periodically to the account.

Thanks!

[1714049362]

1714049362

[1714049362]

1714049362

[1714049362]

1714049362

[1714049362]

1714049362

[Rath_]

Are my funds safe as long as I stay away from any phishing scheme?

Yes, your funds will be safe as long as you don't fall for the phising you mentioned. If you decide to update it then download it from the official website and verify the signature just to be sure. However, there is no need to do so if you don't use your wallet on a daily basis.

[JoeyBagga]

Thank you for your reply.

I needed to have that peace of mind.

Can you point to any resources that can help me with the signature verification if I do decide to upgrade?

[Rath_]

Can you point to any resources that can help me with the signature verification if I do decide to upgrade?

This short guide seems to be accurate. If you need any help or encounter any problems, feel free to post here. Check Electrum changelog from time to time in case a major vulnerability is fixed in an update.

[AB de Royse777]

Some addition to BitCryptex,
OP why not use the latest version?

I mean:

- Downland the latest version from their official site: https://electrum.org/#download
- Verify the downloaded file before installing (very important step): https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
This is the PGP from ThomasV: https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc
- Now install the file.

Remember to keep your wallet file backed up in different folder or any other harddrive. Best is, to keep the seeds safe to restore the wallet. Without backing up the wallet files or seed in a safe place do not take the risk of uninstalling the Electrum software.

[JoeyBagga]

Great point. I suppose there is no reason to keep this old version running even though it is pure at the moment.

I have the seed backed up safely but do not understand what you mean by keeping the wallet file backed up.

Thanks for the feedback. 

[TryNinja]

Great point. I suppose there is no reason to keep this old version running even though it is pure at the moment.

I have the seed backed up safely but do not understand what you mean by keeping the wallet file backed up.

He meant the wallet file that is stored on %appdata%/Electrum/wallets. But don't worry. Your seed is more than enough to recover the wallet if anythings happens (it "regenerates" the wallet file).

Try to always keep it update and make sure to always verify the file signatures[1] before installing a new version.

[1] https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

[harizen]

Using Electrum as my long term storage, so if anything I will be mostly sending funds periodically to the account.

Just want to add that since you decided to used Electrum as your long term storage, there might be a time that you won't check your wallet for a while. Yes, idle for quite some time.

In that case, always check Electrum updates, if any, at the main site just to keep you updated on what's happening. Not regularly but at least occasionally. Recently, lots of Electrum users I believed got phished because of lack of information. Those are users who didn't touch their Electrum for a while.

[JoeyBagga]

Excellent advice. 100%.

[pooya87]

whenever you download binaries of an application that is security sensitive you have to only worry about two things:
1. how much you trust developer's and their code.
this trust can increase if the builds are deterministic (which i believe Electrum is) and when others are building and confirming the hashes like what bitcoin core does.

2. how to acquire the real PGP public key of the developer releasing the binaries.
https://en.wikipedia.org/wiki/Web_of_trust

everything else is meaningless. for example even if you download from actual electrum.org website you still shouldn't trust what you received.

[Lucius]

JoeyBagga, no matter if you use Electrum for long-term storage or for daily use, you should update to latest version, because that would be good security practice. There is no point in having something on your computer that poses a security risk, and the official announcement on Electrum is :

Warning: Electrum versions older than 3.3.4 are susceptible to phishing. Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures.

If you need extra help with verifying signature, this video can help : Verifying Electrum Download Signatures via GPG4Win.

[Pmalek]

Warning: Electrum versions older than 3.3.4 are susceptible to phishing. Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures.

Didn't it used to be versions older than 3.3.3 before? They seem to have changed this sometimes in the past to 3.3.4.
So in theory even users with version 3.3.3 (like OP in this case) could receive the phishing messages!?

[bob123]

Warning: Electrum versions older than 3.3.4 are susceptible to phishing. Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures.

Didn't it used to be versions older than 3.3.3 before? They seem to have changed this sometimes in the past to 3.3.4.
So in theory even users with version 3.3.3 (like OP in this case) could receive the phishing messages!?

AFAIK, the vulnerability was found in 3.3.2 and the update to 3.3.3 didn't completely fix the issue.
So 3.3.4 was the first version which is safe against those phishing message shown by the electrum server.

Therefore, such a message can be shown in 3.3.3, yes.


But since the current version is 3.3.8, no one should actually be using 3.3.3. Unfortunately this is not the case yet.

[TryNinja]

AFAIK, the vulnerability was found in 3.3.2 and the update to 3.3.3 didn't completely fix the issue.
So 3.3.4 was the first version which is safe against those phishing message shown by the electrum server.

Therefore, such a message can be shown in 3.3.3, yes.

But since the current version is 3.3.8, no one should actually be using 3.3.3. Unfortunately this is not the case yet.

3.3.2 made the messages render as plain text.
3.3.3 fixed the exploit.

# Release 3.3.3 - (January 25, 2019)

 * Do not expose users to server error messages (#4968)
 * Notify users of new releases. Release announcements must be signed,
   and they are verified byElectrum using a hardcoded Bitcoin address.
 * Hardware wallet fixes (#4991, #4993, #5006)
 * Display only QR code in QRcode Window
 * Fixed code signing on MacOS
 * Randomise locktime of transactions


# Release 3.3.2 - (December 21, 2018)

 * Fix Qt history export bug
 * Improve network timeouts
 * Prepend server transaction_broadcast error messages with
   explanatory message. Render error messages as plain text.

From: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

[bob123]

3.3.2 made the messages render as plain text.
3.3.3 fixed the exploit.

You are right, but this makes me wonder why electrum states that versions < 3.3.4 (including 3.3.3) are vulnerable to the phishing message.

Maybe that's just a typo on their website ?

[jackg]

3.3.2 made the messages render as plain text.
3.3.3 fixed the exploit.

You are right, but this makes me wonder why electrum states that versions < 3.3.4 (including 3.3.3) are vulnerable to the phishing message.

Maybe that's just a typo on their website ?

I thought that the problem got fixed but it just stopped showing error messages altogether until they could work out how to get it to show them? So it wasn't actually a permenant fix and I'd say that means it was probably still affected by the attack (because of the usability difference).


There's noting in the changelog actually for 3.3.4. For 3.3.3, there's this: " * Do not expose users to server error messages (#4968)"

[Lucius]

Electrum if fixed problem with phishing message even in 3.3.2, not in a way that is stop that message to pop up, but just by formating that message to not show clickable phishing link. I think that version 3.3.3 is still show that message, but only as "Unknown Error", and version 3.3.4 has finally become completely immune on this attack.

Because of that Electrum is have such info on their site, all versions older then 3.3.4 is not considered safe.

[bitmover]

Your funds are safe, but if they are stored in your daily computer I would be a bit paranoid (if I hold large amounts). You may click a phishing some day and get infected by malware, many things can happen.

Did you consider buying a hardware wallet? They are cheap now (ledger nano s and trezor one), and will make your funds much safer. I needed that peace of mind, and I am very happy with mine.

They are both compatible with Electrum.