NotATether (OP)
Legendary
Offline
Activity: 1792
Merit: 7390
Top Crypto Casino
|
To my understanding, there is no command within Electrum to update itself. So assuming I only get newer versions of electrum by comparing file hashes contained in GPG signed keys, is there any way a stock electrum installation could be fooled into showing a fake update screen? Assuming that electrum even has any update screens coded into it, because if it doesn't, then I guess all such dialogs should not be trusted. What should I do in a situation like that?
The default setup of electrum selects a server automatically. How does it know which server to sync with, and that it's not malicious?
I am running Electrum 3.3.8.
|
|
|
|
Rath_
aka BitCryptex
Legendary
Offline
Activity: 1876
Merit: 3139
|
|
April 04, 2020, 11:35:54 PM |
|
[...] is there any way a stock electrum installation could be fooled into showing a fake update screen?
Versions older than 3.3.4 are vulnerable to phishing. New versions include built-in update notifier. The address which is used for signing these messages is apparently hardcoded into Electrum. You should be safe if you always verify the installation file. What should I do in a situation like that?
Ignore the malicious message. Always download Electrum from the official website and verify the installer. You should also search the Internet to see if anyone also has a similar problem. We have warned a lot of people before they followed malicious instructions. How does it know which server to sync with, and that it's not malicious?
Here you can learn about peer discovery. There's no easy way of telling which node is malicious. Here's an example on the recent exploit.
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3696
Merit: 1584
|
|
April 04, 2020, 11:57:04 PM |
|
the way electrum works is you are not supposed to have to trust the server you are connected to. so don't worry about malicious servers.
|
|
|
|
AB de Royse777
Legendary
Offline
Activity: 2674
Merit: 4158
Campaign Manager. My Telegram @Royse777
|
|
April 05, 2020, 12:58:15 AM |
|
So assuming I only get newer versions of electrum by comparing file hashes contained in GPG signed keys, is there any way a stock electrum installation could be fooled into showing a fake update screen? Assuming that electrum even has any update screens coded into it, because if it doesn't, then I guess all such dialogs should not be trusted. What should I do in a situation like that?
I go with the old fashioned way. I uncheck the auto update option in my Electrum and when there are any new update, I just uninstall my current Electrum and then download the newer version, verify the application file and then install it. The instant auto update is very easy but I somehow do not feel secure about it.
|
BETFURY ..... | ██████▄██▄███████████▄█▄ █████▄██████▄████▄▄▄█████ ██████████████████████████ ████▐█████████████████████ ███████████▀▀█▄▄▄▄█████████ ██▄███████▄▀███▀█▀▀█▄▄█▄█▄██ █▀██████████▄█████▄▄█████▀███ ██████████▄████▀██▄▀▀█▀█████▄ ███████████████▐█▄█▀▄███▀█▀██▄ ███████▄▄▄███▌▌██▄▀█▀█████████▄ ▀▀▀███████████▌██▀▀▀▀▀█▄▄▄████▀ ███████▀▀██████▄▄██▄▄▄█▄███▀▀ ████████████▀▀▀██████████▀
| ..... Leading iGaming Platform ..... |
UP TO 60% A P R B T C S T A K I N G | |
8,000+ GAMES |
HIGH ODDS SPORTSBOOK | | █▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄ | | ▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄█ |
[
|
|
|
|
AB de Royse777
Legendary
Offline
Activity: 2674
Merit: 4158
Campaign Manager. My Telegram @Royse777
|
|
April 05, 2020, 01:32:02 AM |
|
You got me there. Bad choice of words from me. I have seen few time the pop up to notify but never proceeded from there so my understanding was that it will do the update in the system like other apps do, if I click on the button that triggers the update. Good to know that it takes to the official site to do things manually. Yeah, signature verification is the most important part for me always.
|
BETFURY ..... | ██████▄██▄███████████▄█▄ █████▄██████▄████▄▄▄█████ ██████████████████████████ ████▐█████████████████████ ███████████▀▀█▄▄▄▄█████████ ██▄███████▄▀███▀█▀▀█▄▄█▄█▄██ █▀██████████▄█████▄▄█████▀███ ██████████▄████▀██▄▀▀█▀█████▄ ███████████████▐█▄█▀▄███▀█▀██▄ ███████▄▄▄███▌▌██▄▀█▀█████████▄ ▀▀▀███████████▌██▀▀▀▀▀█▄▄▄████▀ ███████▀▀██████▄▄██▄▄▄█▄███▀▀ ████████████▀▀▀██████████▀
| ..... Leading iGaming Platform ..... |
UP TO 60% A P R B T C S T A K I N G | |
8,000+ GAMES |
HIGH ODDS SPORTSBOOK | | █▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄ | | ▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄█ |
[
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
April 05, 2020, 01:33:50 AM Last edit: November 15, 2023, 01:41:33 AM by HCP |
|
Nope... just the notification: and then the popup with the link to the official download: On a side note, maybe the should include a note in that dialog to remember to verify the download!
|
|
|
|
AB de Royse777
Legendary
Offline
Activity: 2674
Merit: 4158
Campaign Manager. My Telegram @Royse777
|
|
April 05, 2020, 01:49:02 AM |
|
Then possibly I messed up something. I can clearly recall once or few times I guess, I have seen the pop up that was asking to update but I did not proceed from there. And if this was at that time when there was a vulnerable code in the server then I was lucky I guess. Anyway, this is what my current setup and as far as I can remember I am practicing this from long time. On a side note, maybe the should include a note in that dialog to remember to verify the download! I am on the same page here. This will create a caution for the users and users will be encouraged to take verification seriously.
|
BETFURY ..... | ██████▄██▄███████████▄█▄ █████▄██████▄████▄▄▄█████ ██████████████████████████ ████▐█████████████████████ ███████████▀▀█▄▄▄▄█████████ ██▄███████▄▀███▀█▀▀█▄▄█▄█▄██ █▀██████████▄█████▄▄█████▀███ ██████████▄████▀██▄▀▀█▀█████▄ ███████████████▐█▄█▀▄███▀█▀██▄ ███████▄▄▄███▌▌██▄▀█▀█████████▄ ▀▀▀███████████▌██▀▀▀▀▀█▄▄▄████▀ ███████▀▀██████▄▄██▄▄▄█▄███▀▀ ████████████▀▀▀██████████▀
| ..... Leading iGaming Platform ..... |
UP TO 60% A P R B T C S T A K I N G | |
8,000+ GAMES |
HIGH ODDS SPORTSBOOK | | █▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄ | | ▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄█ |
[
|
|
|
pooya87
Legendary
Offline
Activity: 3640
Merit: 11041
Crypto Swap Exchange
|
|
April 05, 2020, 04:11:35 AM |
|
by comparing file hashes contained in GPG signed keys,
you are not comparing file hashes here, instead you are verifying that the digital signature is made from the key that you choose to trust. is there any way a stock electrum installation could be fooled into showing a fake update screen?
there is no way, but it should not matter because even if you downloaded a new installation file from somewhere else you still should verify its signature. additionally you shouldn't keep your keys on an online machine in first place. storing them offline would remove nearly all possibilities of losing your coins. The default setup of electrum selects a server automatically. How does it know which server to sync with, and that it's not malicious?
Electrum "servers" or with their correct descriptive name: "bitcoin core full nodes with additional indexing" can not be malicious! even those exploiting the vulnerability in pre 3.3.4 version weren't exactly malicious since they are not doing anything apart from replying to you with block headers, transaction,... it was user's mistake that they downloaded a malicious file from a website without verifying its signature.
|
|
|
|
joniboini
Legendary
Offline
Activity: 2380
Merit: 1807
|
|
April 05, 2020, 05:28:12 AM |
|
I am on the same page here. This will create a caution for the users and users will be encouraged to take verification seriously.
I'm kinda pessimistic about it. There have been multiple instances where users are reminded to verify the files that they downloaded first before installing it, let alone checking the web page. It's just like the old saying goes, as long as it doesn't happen to you, you'll feel safe. Which is why lots of users fall for the scams, to begin with. But well, something is still better than nothing though.
|
| CHIPS.GG | | | ▄▄███████▄▄ ▄████▀▀▀▀▀▀▀████▄ ▄███▀░▄░▀▀▀▀▀░▄░▀███▄ ▄███░▄▀░░░░░░░░░▀▄░███▄ ▄███░▄░░░▄█████▄░░░▄░███▄ ███░▄▀░░░███████░░░▀▄░███ ███░█░░░▀▀▀▀▀░░░▀░░░█░███ ███░▀▄░▄▀░▄██▄▄░▀▄░▄▀░███ ▀███░▀░▀▄██▀░▀██▄▀░▀░███▀ ▀███░▀▄░░░░░░░░░▄▀░███▀ ▀███▄░▀░▄▄▄▄▄░▀░▄███▀ ▀████▄▄▄▄▄▄▄████▀ █████████████████████████ | | ▄▄███████▄▄ ▄███████████████▄ ▄█▀▀▀▄█████████▄▀▀▀█▄ ▄██████▀▄█▄▄▄█▄▀██████▄ ▄████████▄█████▄████████▄ ████████▄███████▄████████ ███████▄█████████▄███████ ███▄▄▀▀█▀▀█████▀▀█▀▀▄▄███ ▀█████████▀▀██▀█████████▀ ▀█████████████████████▀ ▀███████████████████▀ ▀████▄▄███▄▄████▀ ████████████████████████ | | 3000+ UNIQUE GAMES | | | 12+ CURRENCIES ACCEPTED | | | VIP REWARD PROGRAM | | ◥ | Play Now |
|
|
|
Pmalek
Legendary
Offline
Activity: 2954
Merit: 7565
Playgram - The Telegram Casino
|
|
April 05, 2020, 08:42:29 AM |
|
Just turn off the auto-update notifications. They aren't really needed. If you are a regular on this forum, you will probably see a thread or a post somewhere that a never version of Electrum has been released on the same day of the release. Check the official site from time to time as well. I have never checked if there are new updates from within the Electrum app myself and I am not planning to do it. I see no need for it.
I see that some users wrote that they uninstall the older Electrum version before updating to a newer one. I have never done that either. I have updated my Electrum software 4 times at least and never uninstalled the old client before.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
[/
|
|
|
NotATether (OP)
Legendary
Offline
Activity: 1792
Merit: 7390
Top Crypto Casino
|
|
April 05, 2020, 11:56:53 AM |
|
I see that some users wrote that they uninstall the older Electrum version before updating to a newer one. I have never done that either. I have updated my Electrum software 4 times at least and never uninstalled the old client before.
Given that Electrum stores its configuration in ~/.electrum, at least on Linux, and that I use the Python bundle of electrum which just needs to be extracted to run, I think I can just download a newer version of electrum's python bundle when it comes and extract that to another folder, without worrying about deleting the old one. Granted, newer updates might change the configuration format and make it incompatible with older versions so I would delete older versions of electrum as they are merely unnecessary. Like this I don't think it's necessary to uninstall/delete older versions before you use new ones.
|
|
|
|
AB de Royse777
Legendary
Offline
Activity: 2674
Merit: 4158
Campaign Manager. My Telegram @Royse777
|
|
April 05, 2020, 09:20:40 PM |
|
I doubt it, using PGP is hard task for most people. I doubt anyone perform PGP verification aside from security expert, geeks or anyone with serious security concern. Most people is more likely to ask whether a website is real or not.
Yeah I get you point. I was in the same position when I had not idea about PGP but later when I felt that I need to see it for the sake of my security, I never found it too hard. It's as easy as exploring other simple computer applications. We can create the awareness for it as a community.
|
BETFURY ..... | ██████▄██▄███████████▄█▄ █████▄██████▄████▄▄▄█████ ██████████████████████████ ████▐█████████████████████ ███████████▀▀█▄▄▄▄█████████ ██▄███████▄▀███▀█▀▀█▄▄█▄█▄██ █▀██████████▄█████▄▄█████▀███ ██████████▄████▀██▄▀▀█▀█████▄ ███████████████▐█▄█▀▄███▀█▀██▄ ███████▄▄▄███▌▌██▄▀█▀█████████▄ ▀▀▀███████████▌██▀▀▀▀▀█▄▄▄████▀ ███████▀▀██████▄▄██▄▄▄█▄███▀▀ ████████████▀▀▀██████████▀
| ..... Leading iGaming Platform ..... |
UP TO 60% A P R B T C S T A K I N G | |
8,000+ GAMES |
HIGH ODDS SPORTSBOOK | | █▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄ | | ▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄█ |
[
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
April 05, 2020, 11:09:51 PM |
|
I doubt it, using PGP is hard task for most people. I doubt anyone perform PGP verification aside from security expert, geeks or anyone with serious security concern. Most people is more likely to ask whether a website is real or not.
So which do think would be "harder" to handle for most users... verifying the digital signatures... or losing their life savings? Be Your Own Bank == Be Your Own Bank's Security Department If you're not going to do it properly, then the outcome should not be a surprise. Checking the PGP signatures is NOT hard or beyond the ability of the majority of computer users. The problem is that is takes time and effort to learn... usually the first one is in short supply for most people, however in the current environment, most people have a lot more time. Now they just need to make the effort. Adbussamad's step-by-step guides are very good and should be easy enough to follow for anyone: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
|
|
|
|
DireWolfM14
Copper Member
Legendary
Offline
Activity: 2352
Merit: 4628
Join the world-leading crypto sportsbook NOW!
|
|
April 07, 2020, 05:00:24 PM |
|
by comparing file hashes contained in GPG signed keys,
you are not comparing file hashes here, instead you are verifying that the digital signature is made from the key that you choose to trust. Curious that the OP suggested that. I've downloaded software that doesn't provide a signature file for the binaries, but instead includes a PGP signed list of checksum hashes. I can't remember if it's TOR browser of Oracle VM that does that, but it seems like a viable way of doing it, even if it requires an second step and knowledge of both PGP, and how to check for hash values. It's something I've thought about in the past, why doesn't Electrum publish their checksum hashes? A lot of us old-timers have been verifying the checksum of downloaded software for some time now.
The default setup of electrum selects a server automatically. How does it know which server to sync with, and that it's not malicious?
Electrum "servers" or with their correct descriptive name: "bitcoin core full nodes with additional indexing" can not be malicious! even those exploiting the vulnerability in pre 3.3.4 version weren't exactly malicious since they are not doing anything apart from replying to you with block headers, transaction,... it was user's mistake that they downloaded a malicious file from a website without verifying its signature. Has the source of fraudulent message been found? How were so many servers infected?
|
|
|
|
NotATether (OP)
Legendary
Offline
Activity: 1792
Merit: 7390
Top Crypto Casino
|
|
April 07, 2020, 06:26:02 PM |
|
Curious that the OP suggested that. I've downloaded software that doesn't provide a signature file for the binaries, but instead includes a PGP signed list of checksum hashes. I can't remember if it's TOR browser of Oracle VM that does that, but it seems like a viable way of doing it, even if it requires an second step and knowledge of both PGP, and how to check for hash values.
It's something I've thought about in the past, why doesn't Electrum publish their checksum hashes? A lot of us old-timers have been verifying the checksum of downloaded software for some time now.
Neither do, I checked just now. I trust SHA256 hashes contained in PGP messages signed with a verified fingerprint/public key more than a bunch of SHA256 hashes in a plain text file, because the hacker who puts a malicious binary on the website can also upload a new file of corresponding hashes. They can't do that if the hashes are contained inside a signed message and the key hasn't been compromised.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
Curious that the OP suggested that. I've downloaded software that doesn't provide a signature file for the binaries, but instead includes a PGP signed list of checksum hashes. I can't remember if it's TOR browser of Oracle VM that does that, but it seems like a viable way of doing it, even if it requires an second step and knowledge of both PGP, and how to check for hash values.
Or perhaps you are thinking of Bitcoin Core? https://bitcoincore.org/bin/bitcoin-core-0.19.1/SHA256SUMS.ascIt's something I've thought about in the past, why doesn't Electrum publish their checksum hashes? A lot of us old-timers have been verifying the checksum of downloaded software for some time now.
I don't really see any difference between checking the signature on the binary file... and checking the signature on the file of the checksums and then checking the checksums... except, for the latter, it's a two step process! Which I would guess is the reason why the Electrum devs sign the binaries Has the source of fraudulent message been found? How were so many servers infected?
Servers were not "infected"... Someone modified the server code to display the message instead of standard server responses... then they deliberately ran that code on a bunch of servers that were spun up on services like AWS in various locations... basically, create one, clone it 100s of times... let them go. By flooding the network with "malicious" servers, chances were good that people would end up "randomly" connected to one.
|
|
|
|
pooya87
Legendary
Offline
Activity: 3640
Merit: 11041
Crypto Swap Exchange
|
Curious that the OP suggested that. I've downloaded software that doesn't provide a signature file for the binaries, but instead includes a PGP signed list of checksum hashes. I can't remember if it's TOR browser of Oracle VM that does that, but it seems like a viable way of doing it, even if it requires an second step and knowledge of both PGP, and how to check for hash values.
It's something I've thought about in the past, why doesn't Electrum publish their checksum hashes? A lot of us old-timers have been verifying the checksum of downloaded software for some time now.
it doesn't make any difference to provide the PGP signature of the file itself or provide hash of the file and then PGP signature of the hash. i don't yet know why some projects do it but they do it nonetheless. for instance Ubuntu does exactly this. under Linux both of these steps take only two steps to write a small line in terminal so it is not that big a deal. besides under the hood things are happening the same way! for example when you are verifying PGP signature you first compute hash of the file then check the signature versus that. so hashing is still a part of it.
|
|
|
|
|