Electrum wallet - Update safely and avoid phishing wallets?

[tbct_mt2]

ELECTRUM - UPDATE SAFELY AND AVOID PHISHING WALLETS ?

Electrum wallet is one of most favorite non-custodial bitcoin wallets. This wallet is light, high trusted, and has advanced features that some low-quality bitcoin wallets don't have.

It is natural that all wallets have to be upgraded by their developers and by users over time. Unfortunately, there is a fact

The more popular a software is, the more people have looked at it.

Today, I give you all - who have not yet known how to update your Electrum wallet safely - to know how to do it safely.

Let's get started by the first step to know when your Electrum wallet is outdated.
Help > Check for updates. (first image); then you will see this popped up windows (second image)

       

Now, what should you do to download newest version of Electrum?
I believe what most of you will do is clicking on the available link in popped up windows.
"You can download the new version from https://electrum.org/#download"
Is this what you should do?
NO! You will be under risks if doing this.
This is the first important step that you have to avoid.
There was attacks on Electrum wallets months ago, directly on links provide in their wallets.
Electrum vulnerability allows arbitrary messages, phishing
Such attacks might occur anytime in the future, so just be careful.

In reality, there are more other types of phishing sites, this one is an example, so you have to take care yourself by being very carefully download Electrum wallet.

Do you see that little fleck of dust under the domain name in the left screenshot? Actually not dust. Enable show_punycode in Firefox in order to avoid phishing URLs.

Source: https://twitter.com/ElectrumWallet/status/1144678604523147265?s=20

The correct way to download Electrum wallet is: Visiting their website, and check for newest version
How?
Please type: electrum.org, then you will be directed to https://electrum.org/#home
Please do neither trust given link in wallet nor link in your browser bookmark, google search.
Only trust in your memory with the site address: electrum.org

You can see that Electrum provides a warning at their Home page:

To download, you click on Download button, then visit that page: https://electrum.org/#download
Next, just choose which ones are suitable for your need and your devices.

What to do next after finishing downloading wallet? Installing it instantly?
NO! You will be under risks if doing this.
You have to do two things:

• Checking your seeds backup: Checking wallet seeds and compare to what your wrote in your seeds backup (on paper, whatever)
• Verifying GPG signature that signed by ThomasV

Checking your seeds backup:
Wallet > Seeds > Enter wallet password (if you set password - of course you should set strong password - for your Electrum wallet).

Verifying GPG signatures that signed by ThomasV:
This step is to make sure that the wallet version you just download is official one, not phishing one and contains malwares. You will lose your bitcoin if you download and install fake Electrum wallets.

make sure to verify the pgp signature of electrum before installing (installer) or running (appimage) it.

Tutorials to verify GPG signatures

GPG signatures are a proof that distributed files have been signed by the owner of the signing key. For example, if this website was compromised and the original Electrum files had been replaced, signature verification would fail, because the attacker would not be able to create valid signatures. (Note that an attacker would be able to create valid hashes, this is why we do not publish hashes of our binaries here, it does not bring any security).

In order to be able to verify GPG signatures, you need to import the public key of the signer. Electrum binaries are signed with ThomasV's public key. On Linux, you can import that key using the following command: gpg --import ThomasV.asc. Here are tutorials for Windows and MacOS. When you import a key, you should check its fingerprint using independent sources, such as here, or use the Web of Trust.

Tutorials for:

• Windows
• MacOS

After successfully verify ThomasV's GPG signatures, you are safe to use your Electrum wallet for your bitcoin.

SUMMARY
[1] Check for updates from official website (can check from wallet first, then re-check on official website)
[2] Always type site address to visit it: electrum.org
[3] Verify ThomasV's GPG signatures before installing new wallet versions
[4] Do all these three steps before doing bitcoin transactions in your newly updated wallet.



Read more, to have more fears on fake, phishing Electrum wallets, and being more careful.
[Warning]: Another Electrum Phishing site on the loose
⚠⚠️⚠~Beware on active phishing Electrum websites~⚠⚠️⚠ (Collection list updated)
Electrum vulnerability allows arbitrary messages, phishing

[jseverson]

It is natural that all wallets have to be upgraded by their developers and by users over time. Unfortunately, there is a fact

The more popular a software is, the more people have looked at it.

I just want to point out that more people looking into Electrum is good under the original context of the quote. bob123 was basically saying that plenty of people with the technological know-how have already reviewed its code considering its popularity, meaning you don't necessarily have to review it yourself, and that you need to trust the developer less. I'm not saying that popularity doesn't have its downsides, but it's one of the reasons why Electrum is generally considered trustworthy.

[pooya87]

~ plenty of people with the technological know-how have already reviewed its code considering its popularity, meaning you don't necessarily have to review it yourself, and that you need to trust the developer less.

note that in most cases if you are downloading the binaries instead of the source code and compiling it yourself, you are still trusting the developer 100% because you are running a closed source application when you download the compiled version.
although there is a simple (to use but complicated to create) solution to this and i only know two wallets that do it, it is called "deterministic builds". bitcoin core and Electrum are the only wallets that i know of which do this. it means if you compile the code you will end up with the same binaries (eg. both have the same hash). so you could verify if for example the .exe that Electrum releases is the same thing as their source code or if it is different.

[Kakmakr]

This is a very good thread, so I will give you some merit for the effort that you put in to compile it, but I think most "newbies" might find this whole process too daunting to simply "update" their wallet.  

The fact that most of these software "updates" and "firmware updates" on hardware wallets are so complex, makes it easy for lazy and newbie people to make mistakes. Wallet providers should develop automated processes to check for the validity of the software updates signature to protect their customers.

Most people are just used to clicking on the "update" button for their software and the software will automatically update without any problems.    

[tbct_mt2]

This is a very good thread, so I will give you some merit for the effort that you put in to compile it, but I think most "newbies" might find this whole process too daunting to simply "update" their wallet.  
~snip~
Most people are just used to clicking on the "update" button for their software and the software will automatically update without any problems.    

People mostly want to do easy things, like upgrading their wallets by available links inside wallets

The fact that most of these software "updates" and "firmware updates" on hardware wallets are so complex, makes it easy for lazy and newbie people to make mistakes. Wallet providers should develop automated processes to check for the validity of the software updates signature to protect their customers.

In my opinion, everything gives users automatic supports will put them under higher risks. Over time, they will become lazier, that in turn will force them under higher risks of attacks from abusers.
For example: Around ten years ago, I do believe that we all remember phone numbers very well, because we had to tap on phone keyboards in order to make phone calls. Since the technical revolution of smart phones, originated by Apple, nowadays, most of us don't remember too many phone numbers.

[Kakmakr]

This is a very good thread, so I will give you some merit for the effort that you put in to compile it, but I think most "newbies" might find this whole process too daunting to simply "update" their wallet.  
~snip~
Most people are just used to clicking on the "update" button for their software and the software will automatically update without any problems.   

People mostly want to do easy things, like upgrading their wallets by available links inside wallets

The fact that most of these software "updates" and "firmware updates" on hardware wallets are so complex, makes it easy for lazy and newbie people to make mistakes. Wallet providers should develop automated processes to check for the validity of the software updates signature to protect their customers.

In my opinion, everything gives users automatic supports will put them under higher risks. Over time, they will become lazier, that in turn will force them under higher risks of attacks from abusers.
For example: Around ten years ago, I do believe that we all remember phone numbers very well, because we had to tap on phone keyboards in order to make phone calls. Since the technical revolution of smart phones, originated by Apple, nowadays, most of us don't remember too many phone numbers.

I would rather automate it, than having 1000's of people's wallets emptied, because they did not know how to verify a signature to validate a legitimate update. Also, when you make things too complicated, it creates a psychological barrier to entry for people who are not educated or intellectually challenged to adopt this technology. 

Technology helps us to make life easier and to improve on ineffective ways of doing things. Having to remember 1000's of telephone numbers are not practical at all and you can now send a message to say 300 people in seconds on a WhatsApp group. <We have community groups, where people report security issues within seconds and criminals in our area are tracked via mobile phones with messages that are send by members of the group and forwarded to law enforcement.>   

[tbct_mt2]

I would rather automate it, than having 1000's of people's wallets emptied, because they did not know how to verify a signature to validate a legitimate update. Also, when you make things too complicated, it creates a psychological barrier to entry for people who are not educated or intellectually challenged to adopt this technology.  

Technology helps us to make life easier and to improve on ineffective ways of doing things. Having to remember 1000's of telephone numbers are not practical at all and you can now send a message to say 300 people in seconds on a WhatsApp group. <We have community groups, where people report security issues within seconds and criminals in our area are tracked via mobile phones with messages that are send by members of the group and forwarded to law enforcement.>  

I agree to disagree. Having automatic update-checking feature is good, but wallet should have (at least) a warning message that reminds people to verify wallet manually. This will play as a second-security layer, and is only good for people, not bad.
The warning message should contain links to: official website (from which they will check official announcement on latest wallet version); and wallet verification guide.

Technical revolution help human life become easier and more comfortable, but totally relying on automatically technical process is always bad, especially for such highly interested and vulnerable asset like bitcoin in particular and crypto currencies in general.

[ice18]

Nice info but a normal user of electrum wallet usually do the simplest way to update the software without checking the authenticity of it especially if the process is a little bit techy like verifying the GPG signatures that needs another 3rd party software like Gpg4win on windows, Is there any other way to verify our electrum wallet besides stated above?

[tbct_mt2]

Nice info but a normal user of electrum wallet usually do the simplest way to update the software without checking the authenticity of it especially if the process is a little bit techy like verifying the GPG signatures that needs another 3rd party software like Gpg4win on windows, Is there any other way to verify our electrum wallet besides stated above?

I think it is easy to follow those steps to verify wallet. Nothing is easy for the first time, even installing Windows, so people have to try hard for the first time.

Verifying Electrum wallet after downloading it from official website is secondary protection from phishing attempts.

I want to re-emphasize that people should never upgrade their Electrum wallet (or other wallets too) by using direct link given in their wallets. Wallets might give warning message that there is new version and ask for upgrade but people (after seeing such wallet upgrade warnings) should visit to official websites to check that there is actually new version or not. If there is new version (on official websites), they can start to download.

After downloading, they can move further by verifying wallets, but I think if they download from official websites, they will be nearly free from phishing attempts. They should do verify, nevertheless, just to be recheck and to be safer.

Relates to official websites, they should not search from Google. Instead of searching, they should remember exactly website address or note those sites on their own ways. Bookmarking on web browsers can be compromised too.

[bitmover]

After downloading, they can move further by verifying wallets, but I think if they download from official websites, they will be nearly free from phishing attempts. They should do verify, nevertheless, just to be recheck and to be safer.

Relates to official websites, they should not search from Google. Instead of searching, they should remember exactly website address or note those sites on their own ways. Bookmarking on web browsers can be compromised too.

You need to be careful with links always, not only when downloading a wallet.

I always try to search on official media channels, like Reddit, Bitcointalk Ann, Facebook, etc. If all addresses are redirecting to the same domain, I know it is safe to use the application.

Electrum doesn't have social media or whatever, but anyone can find confirmations on forums that electrum.org is the only official website

[tbct_mt2]

If you are a fan of Electrum wallet, you have to learn how to download, verify, install it as safely as possible.

[CucakRowo]

Additional information for electrum wallet users.

Same happen to me.

After i read this https://www.reddit.com/r/TREZOR/comments/8otl8q/how_to_verify_signatures_outside_of_wallettrezorio/.
I think the problem is electrum wallet still not familiar with P2SH.
So, i did some browsing, and found this info : https://bitcoinelectrum.com/creating-a-p2sh-segwit-wallet-with-electrum/.

More specifically https://bitcoinelectrum.com/creating-a-p2sh-segwit-wallet-with-electrum/

[The Cryptovator]

Useful topic especially for newbies who are using electrum wallet. That's quite important to be careful during update of electrum wallet since there was an attack in few months back. To be honest I don't not update my electrum wallet from any popups or from update button. When I think I need to update electrum then I go to their official (original) website and install new version. So once new version will be installed older version will be replaced with new version and your wallet file will never effected as well. So I think it's safe way for me handle with update. Of course everyone should verify signature to confirm if its original and there is instruction how to do it. Don't be lazy so you will not be on risk.

[Juggy777]

Useful topic especially for newbies who are using electrum wallet. That's quite important to be careful during update of electrum wallet since there was an attack in few months back. To be honest I don't not update my electrum wallet from any popups or from update button. When I think I need to update electrum then I go to their official (original) website and install new version. So once new version will be installed older version will be replaced with new version and your wallet file will never effected as well. So I think it's safe way for me handle with update. Of course everyone should verify signature to confirm if its original and there is instruction how to do it. Don't be lazy so you will not be on risk.

This is a nice thread which has important pictures that will help newbies understand how to update their Electrum wallet, and after the last few attacks I’m sure people will want to follow the instructions written in this thread. Another method of keeping one’s Electrum wallet safe is by using it’s app, because I never got any notification to update it in the app and overall I feel Electrums mobile app is secure and super easy to use.

[tbct_mt2]

Useful topic especially for newbies who are using electrum wallet.

It is a useful reminder for tenured users too, not only newbies. I know there are some tenured users are still lazy to ignore the verification steps.
You are right that people should never click on any popup messages from any softwares that remind updating to newest versions. The correct steps to do is always visit and check official update news on official websites, not social media channels (facebook, twitter).

For people who store decent funds in wallets, verification is a must thing to do.
Prevention is better than cure. Don't start to mind about verification wallets after losing your funds.

This is a nice thread which has important pictures that will help newbies understand how to update their Electrum wallet, and after the last few attacks I’m sure people will want to follow the instructions written in this thread.

As always, not all people care to do steps that can help them to increase their security.

Another method of keeping one’s Electrum wallet safe is by using it’s app, because I never got any notification to update it in the app and overall I feel Electrums mobile app is secure and super easy to use.

It is wrong (somewhat) because the security of your funds depends on some components: The wallet's quality and security; your devices' security; your methods to take care of your PIN, private keys, passwords, and more things.

[fortunecrypto]

I stopped using Electrum, after the hacking incident and I totally stopped using Electrum so I'll be safe and my coins, but after seeing this thread I am thinking of making a comeback to diversify my portfolio, but I prefer the Litecoin version since I'm accumulating Litecoin right now.

[Saint-loup]

Bump

Very interesting thread for beginners and others, thank you for it but now it would be even more interesting if you could do the same for smartphones.
It's not very easy to do on Android, so it would be great if someone could tell us which apps are the most suitable for that.

When I did it I had to install a shell terminal on my smartphone which is not convenient on a small screen, and to install gpg packages in it  

https://bitcointalk.org/index.php?topic=5189114

[tbct_mt2]

Very interesting thread for beginners and others, thank you for it but now it would be even more interesting if you could do the same for smartphones.
It's not very easy to do on Android, so it would be great if someone could tell us which apps are the most suitable for that.

When I did it I had to install a shell terminal on my smartphone which is not convenient on a small screen, and to install gpg packages in it 

https://bitcointalk.org/index.php?topic=5189114

Thanks for the topic. I will take a look at it later to see whether I can add new points for my OP. But on smartphones, it is safer to store a very small money, just in case we need to spend for something during our hang-out time.

I stopped using Electrum, after the hacking incident and I totally stopped using Electrum so I'll be safe and my coins, but after seeing this thread I am thinking of making a comeback to diversify my portfolio, but I prefer the Litecoin version since I'm accumulating Litecoin right now.

It is not wise to stop using Electrum like that. The wallet is one of the best wallet for bitcoin. All wallets have their technical specifications that can be compromised by hackers but if their developers show their good capability to fix, it will be great.

In addition, carefully using and updating your wallet will keep you safe. What I wrote in OP can be avoided if people care of wallet verification before making transactions.