Newbies are still losing BTC due to an old vulnarability

[Bitcoin_Arena]

I have just seen another newbie who seems to having fallen for that old electrum phishing vulnerability. Shouldn't the team be doing more than just warning users not to download or use the older versions that are vulnerable to the attack?

How about?
1. Making the older versions of electrum that are vulnerable to the attack obsolete or unusable for transactions until users are forced to get the more secure newer versions?
2. Make the download links of the older vulnerable versions inaccessible.

Newbies are newbies. Most even probably don't know that there is such a vulnerability in the older versions of Electrum. I think they need a little more protection from the attack.

[1714128532]

1714128532

[jackg]

They can't connect to any node other than thealicious ones to circumvent attacks.

I don't know what more you want them to do other than hide the old releases from the website (which might be a good idea as there's a backup on github anyway). It's generally not a good idea ot delete old versions completely as a new vulnerability may be found and that deleted script might hold the key and it also has some historic significance... But it could be deleted from the site and archived on github or somewhere else.

Also I think the main issue is newbies running old versions too which this won't mitigate against.

[ranochigo]

I have just seen another newbie who seems to having fallen for that old electrum phishing vulnerability. Shouldn't the team be doing more than just warning users not to download or use the older versions that are vulnerable to the attack?

A DOS attack is being executed against the older wallet versions to try to prevent them from connecting to any servers. This won't be 100% effective and people can still seep through the cracks

How about?
1. Making the older versions of electrum that are vulnerable to the attack obsolete or unusable for transactions until users are forced to get the more secure newer versions?

Not possible. DOS is the best that they can do. The design of Electrum doesn't introduce any way for outsiders to modify the older Electrum client.

2. Make the download links of the older vulnerable versions inaccessible.

No one would download the older version when there is a new one available. I don't see why it would be dangerous to leave the older versions in a less accessible place. Still, that's a decent suggestion, maybe they can put a little readme to warn the users.

Newbies are newbies. Most even probably don't know that there is such a vulnerability in the older versions of Electrum. I think they need a little more protection from the attack.

DOS is probably the best that they can do. People should always verify their downloads before doing anything with it.

[pooya87]

if they remove that particular version then all previous versions and any other old version should also be removed because that is what an "old version" is most of the times, a version that had some bugs and new one released to fix those. if you check the changelog or the code you can see that each version is fixing some bugs many of them could be considered security critical even if not that common.

[nc50lc]

How about?
1. Making the older versions of electrum that are vulnerable to the attack obsolete or unusable for transactions until users are forced to get the more secure newer versions?
2. Make the download links of the older vulnerable versions inaccessible.

2. Before you can even get to that link, you'll see a big warning message on top of the download page:
Plus that direct link to the previous releases isn't endorsed in any other sites aside from forums/articles when pointing to old versions.

Warning: Electrum versions older than 3.3.4 are susceptible to phishing.

1. That "DOS attack" that has been mentioned, it does exactly that, it renders those outdated versions unable to fetch latest balance and broadcast transactions.
So the user might research or update to the latest version.
But the catch is: it requires the client to connect to a "counter-attacking server" to get blocked out of connection; not if it connects to a malicious server and non-patched servers.