Bitcoin Forum
December 12, 2024, 07:56:18 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: If I use the real GPG verified electrum, am I vulnerable to fake updates?  (Read 304 times)
NotATether (OP)
Legendary
*
Offline Offline

Activity: 1820
Merit: 7476


Top Crypto Casino


View Profile WWW
April 04, 2020, 11:19:45 PM
Merited by JayJuanGee (1), pooya87 (1)
 #1

To my understanding, there is no command within Electrum to update itself. So assuming I only get newer versions of electrum by comparing file hashes contained in GPG signed keys, is there any way a stock electrum installation could be fooled into showing a fake update screen? Assuming that electrum even has any update screens coded into it, because if it doesn't, then I guess all such dialogs should not be trusted. What should I do in a situation like that?

The default setup of electrum selects a server automatically. How does it know which server to sync with, and that it's not malicious?

I am running Electrum 3.3.8.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
Rath_
aka BitCryptex
Legendary
*
Offline Offline

Activity: 1876
Merit: 3139



View Profile
April 04, 2020, 11:35:54 PM
 #2

[...] is there any way a stock electrum installation could be fooled into showing a fake update screen?

Versions older than 3.3.4 are vulnerable to phishing. New versions include built-in update notifier. The address which is used for signing these messages is apparently hardcoded into Electrum. You should be safe if you always verify the installation file.

What should I do in a situation like that?

Ignore the malicious message. Always download Electrum from the official website and verify the installer. You should also search the Internet to see if anyone also has a similar problem. We have warned a lot of people before they followed malicious instructions.


How does it know which server to sync with, and that it's not malicious?

Here you can learn about peer discovery. There's no easy way of telling which node is malicious. Here's an example on the recent exploit.
Abdussamad
Legendary
*
Offline Offline

Activity: 3710
Merit: 1586



View Profile
April 04, 2020, 11:57:04 PM
 #3

the way electrum works is you are not supposed to have to trust the server you are connected to. so don't worry about malicious servers.
AB de Royse777
Legendary
*
Offline Offline

Activity: 2702
Merit: 4184


Campaign Manager. My Telegram @Royse777


View Profile WWW
April 05, 2020, 12:58:15 AM
 #4

So assuming I only get newer versions of electrum by comparing file hashes contained in GPG signed keys, is there any way a stock electrum installation could be fooled into showing a fake update screen? Assuming that electrum even has any update screens coded into it, because if it doesn't, then I guess all such dialogs should not be trusted. What should I do in a situation like that?
I go with the old fashioned way. I uncheck the auto update option in my Electrum and when there are any new update, I just uninstall my current Electrum and then download the newer version, verify the application file and then install it.

The instant auto update is very easy but I somehow do not feel secure about it.

 
 BETFURY .....
██████▄██▄███████████▄█▄
█████▄█████▄████▄▄▄█
███████████████████
████▐███████████████████
███████████▀▀▄▄▄▄███████
██▄███████▄▀███▀█▀▀█▄▄▄█
▀██████████▄█████▄▄█████▀██
██████████▄████▀██▄▀▀▀█████▄
█████████████▐█▄▀▄███▀██▄
███████▄▄▄███▌▌█▄▀▀███████▄
▀▀▀███████████▌██▀▀▀▀▀█▄▄▄████▀
███████▀▀██████▄▄██▄▄▄▄███▀▀
████████████▀▀▀██████████
 
..... Leading iGaming Platform .....
 
UP TO 60%
A P R   B T C
S T A K I N G
 
 8,000+ 
GAMES
 
 HIGH ODDS 
SPORTSBOOK
█▀▀











█▄▄
USE CODE: BTEARN
 
.GET 50 FREE SPINS!.
▀▀█











▄▄█
[
HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4363

<insert witty quote here>


View Profile
April 05, 2020, 01:24:44 AM
 #5

The instant auto update is very easy but I somehow do not feel secure about it.
It's not an "instant auto update"... you get a notification that a new version is available, and clicking on it will lead you to the "standard" electrum.org download page.

https://github.com/spesmilo/electrum/blob/5d4f8f316480776eb78d98ea9ac9c3b2a05ef01d/electrum/gui/qt/update_checker.py#L21


You are still advised to do the verification even if you have the update notification on.

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
AB de Royse777
Legendary
*
Offline Offline

Activity: 2702
Merit: 4184


Campaign Manager. My Telegram @Royse777


View Profile WWW
April 05, 2020, 01:32:02 AM
 #6

It's not an "instant auto update"... you get a notification that a new version is available, and clicking on it will lead you to the "standard" electrum.org download page.

https://github.com/spesmilo/electrum/blob/5d4f8f316480776eb78d98ea9ac9c3b2a05ef01d/electrum/gui/qt/update_checker.py#L21


You are still advised to do the verification even if you have the update notification on.
You got me there. Bad choice of words from me. I have seen few time the pop up to notify but never proceeded from there so my understanding was that it will do the update in the system like other apps do, if I click on the button that triggers the update.

Good to know that it takes to the official site to do things manually. Yeah, signature verification is the most important part for me always.

 
 BETFURY .....
██████▄██▄███████████▄█▄
█████▄█████▄████▄▄▄█
███████████████████
████▐███████████████████
███████████▀▀▄▄▄▄███████
██▄███████▄▀███▀█▀▀█▄▄▄█
▀██████████▄█████▄▄█████▀██
██████████▄████▀██▄▀▀▀█████▄
█████████████▐█▄▀▄███▀██▄
███████▄▄▄███▌▌█▄▀▀███████▄
▀▀▀███████████▌██▀▀▀▀▀█▄▄▄████▀
███████▀▀██████▄▄██▄▄▄▄███▀▀
████████████▀▀▀██████████
 
..... Leading iGaming Platform .....
 
UP TO 60%
A P R   B T C
S T A K I N G
 
 8,000+ 
GAMES
 
 HIGH ODDS 
SPORTSBOOK
█▀▀











█▄▄
USE CODE: BTEARN
 
.GET 50 FREE SPINS!.
▀▀█











▄▄█
[
HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4363

<insert witty quote here>


View Profile
April 05, 2020, 01:33:50 AM
Last edit: November 15, 2023, 01:41:33 AM by HCP
 #7

Nope... just the notification:



and then the popup with the link to the official download:



On a side note, maybe the should include a note in that dialog to remember to verify the download! Huh

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
AB de Royse777
Legendary
*
Offline Offline

Activity: 2702
Merit: 4184


Campaign Manager. My Telegram @Royse777


View Profile WWW
April 05, 2020, 01:49:02 AM
 #8

Then possibly I messed up something. I can clearly recall once or few times I guess, I have seen the pop up that was asking to update but I did not proceed from there. And if this was at that time when there was a vulnerable code in the server then I was lucky I guess.

Anyway, this is what my current setup and as far as I can remember I am practicing this from long time.




On a side note, maybe the should include a note in that dialog to remember to verify the download! Huh
I am on the same page here. This will create a caution for the users and users will be encouraged to take verification seriously.
 

 
 BETFURY .....
██████▄██▄███████████▄█▄
█████▄█████▄████▄▄▄█
███████████████████
████▐███████████████████
███████████▀▀▄▄▄▄███████
██▄███████▄▀███▀█▀▀█▄▄▄█
▀██████████▄█████▄▄█████▀██
██████████▄████▀██▄▀▀▀█████▄
█████████████▐█▄▀▄███▀██▄
███████▄▄▄███▌▌█▄▀▀███████▄
▀▀▀███████████▌██▀▀▀▀▀█▄▄▄████▀
███████▀▀██████▄▄██▄▄▄▄███▀▀
████████████▀▀▀██████████
 
..... Leading iGaming Platform .....
 
UP TO 60%
A P R   B T C
S T A K I N G
 
 8,000+ 
GAMES
 
 HIGH ODDS 
SPORTSBOOK
█▀▀











█▄▄
USE CODE: BTEARN
 
.GET 50 FREE SPINS!.
▀▀█











▄▄█
[
pooya87
Legendary
*
Offline Offline

Activity: 3668
Merit: 11103


Crypto Swap Exchange


View Profile
April 05, 2020, 04:11:35 AM
 #9

by comparing file hashes contained in GPG signed keys,
you are not comparing file hashes here, instead you are verifying that the digital signature is made from the key that you choose to trust.

Quote
is there any way a stock electrum installation could be fooled into showing a fake update screen?
there is no way, but it should not matter because even if you downloaded a new installation file from somewhere else you still should verify its signature. additionally you shouldn't keep your keys on an online machine in first place. storing them offline would remove nearly all possibilities of losing your coins.

Quote
The default setup of electrum selects a server automatically. How does it know which server to sync with, and that it's not malicious?
Electrum "servers" or with their correct descriptive name: "bitcoin core full nodes with additional indexing" can not be malicious! even those exploiting the vulnerability in pre 3.3.4 version weren't exactly malicious since they are not doing anything apart from replying to you with block headers, transaction,... it was user's mistake that they downloaded a malicious file from a website without verifying its signature.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
joniboini
Legendary
*
Offline Offline

Activity: 2408
Merit: 1807



View Profile WWW
April 05, 2020, 05:28:12 AM
 #10

I am on the same page here. This will create a caution for the users and users will be encouraged to take verification seriously.

I'm kinda pessimistic about it. There have been multiple instances where users are reminded to verify the files that they downloaded first before installing it, let alone checking the web page. It's just like the old saying goes, as long as it doesn't happen to you, you'll feel safe. Which is why lots of users fall for the scams, to begin with.

But well, something is still better than nothing though.

▄▄███████████████████▄▄
▄███████████████████████▄
████████▀░░░░░░░▀████████
███████░░░░░░░░░░░███████
███████░░░░░░░░░░░███████
██████▀░░░░░░░░░░░▀██████
██████▄░░░░░▄███▄░▄██████
██████████▀▀█████████████
████▀▄██▀░░░░▀▀▀░▀██▄▀███
███░░▀░░░░░░░░░░░░░▀░░███
████▄▄░░░░▄███▄░░░░▄▄████
▀███████████████████████▀
▀▀███████████████████▀▀
 
 CHIPS.GG 
▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
███▀░▄░▀▀▀▀▀░▄░▀███
▄███
░▄▀░░░░░░░░░▀▄░███▄
▄███░▄░░░▄█████▄░░░▄░███▄
███░▄▀░░░███████░░░▀▄░███
███░█░░░▀▀▀▀▀░░░▀░░░█░███
███░▀▄░▄▀░▄██▄▄░▀▄░▄▀░██
▀███
░▀░▀▄██▀░▀██▄▀░▀░██▀
▀███
░▀▄░░░░░░░░░▄▀░██▀
▀███▄
░▀░▄▄▄▄▄░▀░▄███▀
▀█
███▄▄▄▄▄▄▄████▀
█████████████████████████
▄▄███████▄▄
███
████████████▄
▄█▀▀▀▄
█████████▄▀▀▀█▄
▄██████▀▄▄▄▄▄▀██████▄
▄█████████████▄████████▄
████████▄███████▄████████
█████▄█████████▄██████
██▄▄▀▀▀▀█████▀▀▀▀▄▄██
▀█████████▀▀███████████▀
▀███████████████████▀
██████████████████
▀████▄███▄▄
████▀
████████████████████████
3000+
UNIQUE
GAMES
|
12+
CURRENCIES
ACCEPTED
|
VIP
REWARD
PROGRAM
 
 
  Play Now  
Pmalek
Legendary
*
Offline Offline

Activity: 2982
Merit: 7642


Playgram - The Telegram Casino


View Profile
April 05, 2020, 08:42:29 AM
 #11

Just turn off the auto-update notifications. They aren't really needed. If you are a regular on this forum, you will probably see a thread or a post somewhere that a never version of Electrum has been released on the same day of the release. Check the official site from time to time as well. I have never checked if there are new updates from within the Electrum app myself and I am not planning to do it. I see no need for it.

I see that some users wrote that they uninstall the older Electrum version before updating to a newer one. I have never done that either. I have updated my Electrum software 4 times at least and never uninstalled the old client before. 

▄▄███████▄▄███████
▄███████████████▄▄▄▄▄
▄████████████████████▀░
▄█████████████████████▄░
▄█████████▀▀████████████▄
██████████████▀▀█████████
████████████████████████
██████████████▄▄█████████
▀█████████▄▄████████████▀
▀█████████████████████▀░
▀████████████████████▄░
▀███████████████▀▀▀▀▀
▀▀███████▀▀███████

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
 
Playgram.io
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

▄▄▄░░
▀▄







▄▀
▀▀▀░░
▄▄▄███████▄▄▄
▄▄███████████████▄▄
▄███████████████████▄
▄██████████████▀▀█████▄
▄██████████▀▀█████▐████▄
██████▀▀████▄▄▀▀█████████
████▄▄███▄██▀█████▐██████
█████████▀██████████████
▀███████▌▐██████▐██████▀
▀███████▄▄███▄████████▀
▀███████████████████▀
▀▀███████████████▀▀
▀▀▀███████▀▀▀
██████▄▄███████▄▄████████
███▄███████████████▄░░▀█▀
███████████░█████████░░
░█████▀██▄▄░▄▄██▀█████░
█████▄░▄███▄███▄░▄█████
███████████████████████
███████████████████████
██░▄▄▄░██░▄▄▄░██░▄▄▄░██
██░░░░██░░░░██░░░░████
██░░░░██░░░░██░░░░████
██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████
███████████████████████
███████████████████████
 
PLAY NOW

on Telegram
[/
NotATether (OP)
Legendary
*
Offline Offline

Activity: 1820
Merit: 7476


Top Crypto Casino


View Profile WWW
April 05, 2020, 11:56:53 AM
 #12

I see that some users wrote that they uninstall the older Electrum version before updating to a newer one. I have never done that either. I have updated my Electrum software 4 times at least and never uninstalled the old client before. 

Given that Electrum stores its configuration in ~/.electrum, at least on Linux, and that I use the Python bundle of electrum which just needs to be extracted to run, I think I can just download a newer version of electrum's python bundle when it comes and extract that to another folder, without worrying about deleting the old one. Granted, newer updates might change the configuration format and make it incompatible with older versions so I would delete older versions of electrum as they are merely unnecessary. Like this I don't think it's necessary to uninstall/delete older versions before you use new ones.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
AB de Royse777
Legendary
*
Offline Offline

Activity: 2702
Merit: 4184


Campaign Manager. My Telegram @Royse777


View Profile WWW
April 05, 2020, 09:20:40 PM
 #13

I doubt it, using PGP is hard task for most people. I doubt anyone perform PGP verification aside from security expert, geeks or anyone with serious security concern.
Most people is more likely to ask whether a website is real or not.
Yeah I get you point. I was in the same position when I had not idea about PGP but later when I felt that I need to see it for the sake of my security, I never found it too hard. It's as easy as exploring other simple computer applications. We can create the awareness for it as a community.

 
 BETFURY .....
██████▄██▄███████████▄█▄
█████▄█████▄████▄▄▄█
███████████████████
████▐███████████████████
███████████▀▀▄▄▄▄███████
██▄███████▄▀███▀█▀▀█▄▄▄█
▀██████████▄█████▄▄█████▀██
██████████▄████▀██▄▀▀▀█████▄
█████████████▐█▄▀▄███▀██▄
███████▄▄▄███▌▌█▄▀▀███████▄
▀▀▀███████████▌██▀▀▀▀▀█▄▄▄████▀
███████▀▀██████▄▄██▄▄▄▄███▀▀
████████████▀▀▀██████████
 
..... Leading iGaming Platform .....
 
UP TO 60%
A P R   B T C
S T A K I N G
 
 8,000+ 
GAMES
 
 HIGH ODDS 
SPORTSBOOK
█▀▀











█▄▄
USE CODE: BTEARN
 
.GET 50 FREE SPINS!.
▀▀█











▄▄█
[
HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4363

<insert witty quote here>


View Profile
April 05, 2020, 11:09:51 PM
 #14

I doubt it, using PGP is hard task for most people. I doubt anyone perform PGP verification aside from security expert, geeks or anyone with serious security concern.
Most people is more likely to ask whether a website is real or not.
So which do think would be "harder" to handle for most users... verifying the digital signatures... or losing their life savings? Huh

Be Your Own Bank == Be Your Own Bank's Security Department

If you're not going to do it properly, then the outcome should not be a surprise.

Checking the PGP signatures is NOT hard or beyond the ability of the majority of computer users. The problem is that is takes time and effort to learn... usually the first one is in short supply for most people, however in the current environment, most people have a lot more time. Now they just need to make the effort.

Adbussamad's step-by-step guides are very good and should be easy enough to follow for anyone: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
DireWolfM14
Copper Member
Legendary
*
Offline Offline

Activity: 2380
Merit: 4691


Join the world-leading crypto sportsbook NOW!


View Profile WWW
April 07, 2020, 05:00:24 PM
 #15

by comparing file hashes contained in GPG signed keys,
you are not comparing file hashes here, instead you are verifying that the digital signature is made from the key that you choose to trust.

Curious that the OP suggested that.  I've downloaded software that doesn't provide a signature file for the binaries, but instead includes a PGP signed list of checksum hashes.  I can't remember if it's TOR browser of Oracle VM that does that, but it seems like a viable way of doing it, even if it requires an second step and knowledge of both PGP, and how to check for hash values.

It's something I've thought about in the past, why doesn't Electrum publish their checksum hashes?  A lot of us old-timers have been verifying the checksum of downloaded software for some time now.


Quote
The default setup of electrum selects a server automatically. How does it know which server to sync with, and that it's not malicious?
Electrum "servers" or with their correct descriptive name: "bitcoin core full nodes with additional indexing" can not be malicious! even those exploiting the vulnerability in pre 3.3.4 version weren't exactly malicious since they are not doing anything apart from replying to you with block headers, transaction,... it was user's mistake that they downloaded a malicious file from a website without verifying its signature.

Has the source of fraudulent message been found?  How were so many servers infected?

  ▄▄███████▄███████▄▄▄
 █████████████
▀▀▀▀▀▀████▄▄
███████████████
       ▀▀███▄
███████████████
          ▀███
 █████████████
             ███
███████████▀▀               ███
███                         ███
███                         ███
 ███                       ███
  ███▄                   ▄███
   ▀███▄▄             ▄▄███▀
     ▀▀████▄▄▄▄▄▄▄▄▄████▀▀
         ▀▀▀███████▀▀▀
░░░████▄▄▄▄
░▄▄░
▄▄███████▄▀█████▄▄
██▄████▌▐█▌█████▄██
████▀▄▄▄▌███░▄▄▄▀████
██████▄▄▄█▄▄▄██████
█░███████░▐█▌░███████░█
▀▀██▀░██░▐█▌░██░▀██▀▀
▄▄▄░█▀░█░██░▐█▌░██░█░▀█░▄▄▄
██▀░░░░▀██░▐█▌░██▀░░░░▀██
▀██
█████▄███▀▀██▀▀███▄███████▀
▀███████████████████████▀
▀▀▀▀███████████▀▀▀▀
█████████████LEADING CRYPTO SPORTSBOOK & CASINO█████████████
MULTI
CURRENCY
1500+
CASINO GAMES
CRYPTO EXCLUSIVE
CLUBHOUSE
FAST & SECURE
PAYMENTS
.
..PLAY NOW!..
NotATether (OP)
Legendary
*
Offline Offline

Activity: 1820
Merit: 7476


Top Crypto Casino


View Profile WWW
April 07, 2020, 06:26:02 PM
 #16

Curious that the OP suggested that.  I've downloaded software that doesn't provide a signature file for the binaries, but instead includes a PGP signed list of checksum hashes.  I can't remember if it's TOR browser of Oracle VM that does that, but it seems like a viable way of doing it, even if it requires an second step and knowledge of both PGP, and how to check for hash values.

It's something I've thought about in the past, why doesn't Electrum publish their checksum hashes?  A lot of us old-timers have been verifying the checksum of downloaded software for some time now.


Neither do, I checked just now.

I trust SHA256 hashes contained in PGP messages signed with a verified fingerprint/public key more than a bunch of SHA256 hashes in a plain text file, because the hacker who puts a malicious binary on the website can also upload a new file of corresponding hashes. They can't do that if the hashes are contained inside a signed message and the key hasn't been compromised.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4363

<insert witty quote here>


View Profile
April 07, 2020, 08:56:03 PM
Merited by pooya87 (1), DireWolfM14 (1)
 #17

Curious that the OP suggested that.  I've downloaded software that doesn't provide a signature file for the binaries, but instead includes a PGP signed list of checksum hashes.  I can't remember if it's TOR browser of Oracle VM that does that, but it seems like a viable way of doing it, even if it requires an second step and knowledge of both PGP, and how to check for hash values.
Or perhaps you are thinking of Bitcoin Core? Wink

https://bitcoincore.org/bin/bitcoin-core-0.19.1/SHA256SUMS.asc


It's something I've thought about in the past, why doesn't Electrum publish their checksum hashes?  A lot of us old-timers have been verifying the checksum of downloaded software for some time now.
I don't really see any difference between checking the signature on the binary file... and checking the signature on the file of the checksums and then checking the checksums... except, for the latter, it's a two step process!

Which I would guess is the reason why the Electrum devs sign the binaries Tongue


Quote
Has the source of fraudulent message been found?  How were so many servers infected?
Servers were not "infected"... Someone modified the server code to display the message instead of standard server responses... then they deliberately ran that code on a bunch of servers that were spun up on services like AWS in various locations... basically, create one, clone it 100s of times... let them go.

By flooding the network with "malicious" servers, chances were good that people would end up "randomly" connected to one. Undecided

█████████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████
█████████████████████████
.
BC.GAME
▄▄░░░▄▀▀▄████████
▄▄▄
██████████████
█████░░▄▄▄▄████████
▄▄▄▄▄▄▄▄▄██▄██████▄▄▄▄████
▄███▄█▄▄██████████▄████▄████
███████████████████████████▀███
▀████▄██▄██▄░░░░▄████████████
▀▀▀█████▄▄▄███████████▀██
███████████████████▀██
███████████████████▄██
▄███████████████████▄██
█████████████████████▀██
██████████████████████▄
.
..CASINO....SPORTS....RACING..
█░░░░░░█░░░░░░█
▀███▀░░▀███▀░░▀███▀
▀░▀░░░░▀░▀░░░░▀░▀
░░░░░░░░░░░░
▀██████████
░░░░░███░░░░
░░█░░░███▄█░░░
░░██▌░░███░▀░░██▌
░█░██░░███░░░█░██
░█▀▀▀█▌░███░░█▀▀▀█▌
▄█▄░░░██▄███▄█▄░░▄██▄
▄███▄
░░░░▀██▄▀


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
pooya87
Legendary
*
Offline Offline

Activity: 3668
Merit: 11103


Crypto Swap Exchange


View Profile
April 08, 2020, 04:22:00 AM
Merited by DireWolfM14 (1)
 #18

Curious that the OP suggested that.  I've downloaded software that doesn't provide a signature file for the binaries, but instead includes a PGP signed list of checksum hashes.  I can't remember if it's TOR browser of Oracle VM that does that, but it seems like a viable way of doing it, even if it requires an second step and knowledge of both PGP, and how to check for hash values.

It's something I've thought about in the past, why doesn't Electrum publish their checksum hashes?  A lot of us old-timers have been verifying the checksum of downloaded software for some time now.

it doesn't make any difference to provide the PGP signature of the file itself or provide hash of the file and then PGP signature of the hash. i don't yet know why some projects do it but they do it nonetheless. for instance Ubuntu does exactly this. under Linux both of these steps take only two steps to write a small line in terminal so it is not that big a deal.

besides under the hood things are happening the same way! for example when you are verifying PGP signature you first compute hash of the file then check the signature versus that. so hashing is still a part of it.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!