Electrum Features - Less is More

[thefirstnamelessdude]

Hmm... Seems everyone here want to discuss my security model instead of electrum's.
Every software developer knows that removing (unused) code makes software less vulnerable because it reduces the attack surface. That's a fact. Strange that some people defend extra features (extra code) even if they are not using them...

I was not looking for a solution, as I had no problem with electrum to begin with, but only venting an opinion to make electrum more safe en more user-friendly.

@Pmalek: FYI I see you merited a reply with false information. Electrum is suitable for hodlers.
=> https://electrum.readthedocs.io/en/latest/coldstorage.html

Hiding features doesn't make them go away. Hiding possible vulnerabilities doesn't make them go away...

I do see where you are coming from, and I completely agree that unnecessary and extraneous features or tools add additional attack vectors. I've said as much before about a hardware wallet which has games on it, and about installing a bunch of other software on any device which you are using to hold large amounts of bitcoin.

However, Lightning support (for example) is neither unnecessary nor extraneous. Electrum offers a wide range of functions which some users don't use, such as multi-sig wallets, coin control, RBF, Lightning, and so on. As bitcoin develops, then more features will be implemented, such as taproot. Many people want and use these features; some don't. If you don't want these features, then don't use them. If you feel they are posing an unnecessary risk for you, then use different software or a different set up which completely mitigates such attack vectors, such as an airgapped device.

At least someone understands what I'm saying. Although you don't agree with me, you give a funded opinion.

Greets.

[1714706592]

1714706592

[1714706592]

1714706592

[1714706592]

1714706592

[1714706592]

1714706592

[pooya87]

Every software developer knows that removing (unused) code makes software less vulnerable because it reduces the attack surface. That's a fact.

Nobody is disagreeing with your "fact" here but what nobody agrees with is your false assumption that there is unused code or features in Electrum that needs to be removed.
Maybe you should explain explicitly why you think a certain feature is unused?

[Pmalek]

You can't talk about facts without providing some yourself. In one of your posts you said that "many people" are confused with Electrum's extra features. Even if that's true (which you haven't proven with statements from those many confused people), that doesn't make them useless. It just means that people don't know what they are, but that's their fault. If you don't know what something is or how to use it, you check the documentation, do a Google search, or ask on a forum, such as this one.

I am curious about why you think you get to decide what is OK and what isn't? I have said previously that I don't use Electrum's LN, but if I given a chance to get rid of it and my vote determines its future, I would vote against having it removed. Just because I don't need it, what right do I have to decide what others can do?

If you are a hodler like you said, and you use Electrum as a cold-storage (which I assume you do), how can a vulnerability in one of the features you don't like affect your wallet? If it's a properly set up cold-storage, no one can take advantage of anything over the Internet. It shouldn't be possible to establish a connection from your PC. If you have full-disk encryption and password-protected open-source OS with private keys and seeds stored offline, no one can steal your personal information even if given physical access to your computer.     

[PawGo]

Every software developer knows that removing (unused) code makes software less vulnerable because it reduces the attack surface. That's a fact. Strange that some people defend extra features (extra code) even if they are not using them...

Even if i don't use that feature, someone else does and there's developer willing to implement and maintain it. But if no one willing to maintain it, i agree it's time to remove it gradually (starting from deprecation warning to actual removal after some time).

Electrum's coverage is around 60%, which is not very bad (https://coveralls.io/github/spesmilo/electrum?branch=master)
I did not check exactly which lines are uncovered, but knowing developers and product's reliability we may assume all the critical parts are sufficiently tested.
Everyone may use SonarQube to see quality of code and make their own opinion about it.

I do not know if OP is mentioning features which are not (or rarely) used by end-users or pieces of coda which are not called/not used. It is true that code cleaning is always a good idea, but if there is code which is never used, I do not see why it could be dangerous (creating a new attack vector). It would be just annoying for developers.

[Kakmakr]

I have to agree with you .... I will rather prefer a slim version of Electrum with all the basic features you need... than a feature rich version of Electrum with bells&whistles you almost never use. (Make those add-ons for the people who wants to use it) 

As you said in your post.... loads of features increase attack vectors for more exploits and that is not what we want. Now you have a feature rich wallet with a lot of holes and weak security. (This will also force regular updates and fixes and newer version of the software.. that will open up opportunities for hackers to exploit that too) - Solarwinds hack was done via an update ==>  "install the malicious code into a new batch of software distributed by SolarWinds as an update or patch." Source : https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know     

[Pmalek]

As you said in your post.... loads of features increase attack vectors for more exploits and that is not what we want. Now you have a feature rich wallet with a lot of holes and weak security.

I would agree with you if Electrum had a history of people taking advantage of various bugs and vulnerabilities that weren't fixed and tested thoroughly before they got rolled out as new features. But I don't remember such incidents that caused serious problems. Maybe someone can refresh my mind?

Just because there weren't any in the past, doesn't mean there won't be any in the future. It's better to be safe than sorry. However, this is still a suggestion to fix something that isn't broken in the first place.

[thefirstnamelessdude]

If you are a hodler like you said, and you use Electrum as a cold-storage (which I assume you do), how can a vulnerability in one of the features you don't like affect your wallet? If it's a properly set up cold-storage, no one can take advantage of anything over the Internet. It shouldn't be possible to establish a connection from your PC.

Hmm... Seems everyone here want to discuss my security model instead of electrum's.

To answer your question: Just as an example... Maybe a future (or present) feature can be used to activate the (built-in Wifi) network adapter of my device which I carefully disabled? Maybe it works as a trigger for other software or even OS components to start the network adapter? We will not know it until the day it actually happens. That's what they call vulnerabilities/exploits.

I have said previously that I don't use Electrum's LN, but if I given a chance to get rid of it and my vote determines its future, I would vote against having it removed. Just because I don't need it, what right do I have to decide what others can do?

Even if i don't use that feature, someone else does and there's developer willing to implement and maintain it. But if no one willing to maintain it, i agree it's time to remove it gradually (starting from deprecation warning to actual removal after some time).

Strange that some people defend extra features (extra code) even if they are not using them...

Even more, I think it's very twisted reasoning to defend extra features because of others who remain silent in this topic. Also, I'm not asking the actual removal of features but merely suggesting there could be multiple electrum versions with different features or extra features could be offered via downloadable plugins/extensions.

However, this is still a suggestion to fix something that isn't broken in the first place.

Right, you suggest that we wait until it's broken? We all know how all those wallets with lots of features end... with lots of vulnerabilities/bugs and very frequent (risky) updates!
Electrum is the best and safest BTC (SPV) wallet we have today, let us keep it that way by keeping things simple.

Greets.

[Pmalek]

To answer your question: Just as an example... Maybe a future (or present) feature can be used to activate the (built-in Wifi) network adapter of my device which I carefully disabled? Maybe it works as a trigger for other software or even OS components to start the network adapter? We will not know it until the day it actually happens. That's what they call vulnerabilities/exploits.

That's the problem and the point I am trying to make. You are not supposed to have network adapters and WIFI cards present in your airgapped system. They should be physically removed. If they aren't there, a bug, vulnerability, or malware can't activate something that doesn't exist. That's why I said properly airgapped device.

Unfortunately, we are going back to your security model again. If your security model mitigates most attack vectors, you don't need to worry what is going on with the code in the features you aren't using.

[thefirstnamelessdude]

...
Unfortunately, we are going back to your security model again. If your security model mitigates most attack vectors, you don't need to worry what is going on with the code in the features you aren't using.

Hmm... Seems everyone here want to discuss my security model instead of electrum's.

You are not accepting that this topic is about electrum's security model and not about mine. In your opinion I should mitigate all vulnerabilities and flaws that electrum has and will ever have. Twisted reasoning again, the software itself should be as secure as possible to begin with.

Since we're going in circles, I'm not going to reply again if it's about my security model.

Greets.

[Pmalek]

You are not accepting that this topic is about electrum's security model and not about mine. In your opinion I should mitigate all vulnerabilities and flaws that electrum has and will ever have.

You are welcome to take your suggestions to Electrum's GitHub, explain your reasoning, and propose new solutions. Anyone can create a new issue thread. Who knows, maybe you will even get some support by the community. I remain skeptical, but that's just me. Maybe the Electrum developers even have a way to check how often a feature of their software is used. Although that would look like spying on their customers. Ask and see if there is any data that can back up your theory of unused and unwanted features.   

[Cricktor]

I find Electrum's feature set quite basic and somewhat just right for me. I'm not missing something, it feels just right. I'm no newbie and chose Electrum deliberately because of its reputation as a well maintained SPV wallet.

I understand the OP's viewpoint, but disagree to remove features as I believe this could make software development and maintenance more complicated and thus likely more error prone. Following OP's philosophy you'd need to agree to a more basic set of features. I guess many users might have very different minimal feature sets to agree on. This could distract new users who'd need to execute further actions to add some features they're missing. A plugin systems adds more complexity and likely opens new attack surfaces; you'd have to carefully check each plugin to be genuine and not tampered with...

As long as Electrum has a feature set that serves many users, it will stay an attractive wallet. This is motivating for the developer(s) and possibly also attracts more people to engage with maintenance and further development. Splitting the wallet into a basic and advanced version isn't easy and wastes dev energy and complexity.

The OP's example of some feature of Electrum reactivating some network devices is in my view rubbish as this shouldn't be a function of a wallet to mess with network devices (yes, I get it, it was only an example). I'd see this clearly as an error of the OS or other parts of the running system but not Electrum's. You shouldn't blame all glitches to the wallet, though.


Electrum is my main wallet of choice, I run my own Bitcoin node and Fulcrum server to feed my Electrum wallet with my own blockchain data set. I don't want my wallet to restrict me. All I need with a wallet I find in Electrum. I won't say I use every feature of Electrum, but I'm very fine with it that I could if I had to. That's what I love with Electrum.

[LoyceV]

To answer your question: Just as an example... Maybe a future (or present) feature can be used to activate the (built-in Wifi) network adapter of my device which I carefully disabled? Maybe it works as a trigger for other software or even OS components to start the network adapter? We will not know it until the day it actually happens. That's what they call vulnerabilities/exploits.

That's the problem and the point I am trying to make. You are not supposed to have network adapters and WIFI cards present in your airgapped system. They should be physically removed. If they aren't there, a bug, vulnerability, or malware can't activate something that doesn't exist. That's why I said properly airgapped device.

I want to add that even if you have a Wifi adapter in your laptop, Electrum (or any other application running with user permissions) shouldn't have access to enabling it. That's something you can disable on a system level, requiring root access to turn it back on.
I expect the threat coming from Electrum itself to be smaller than potential threats coming from other software on the average PC. If you want to remove features from Electrum to reduce potential attack vectors, you'll need to do the same to your entire operating system.
So keeping it offline is much easier

Since we're going in circles, I'm not going to reply again if it's about my security model.

There's a reason for that: Electrum security can't be seen on it's own. It's not a standalone device, it's a small part of much more software you're using.

[The Sceptical Chymist]

I disagree. I think it is good to have many features in a software, some of which are very advanced. But that doesn't mean that software has to become hard to use for regular beginners. Those advanced features could be hidden under an advanced option where the user has to enable them or access them manually after seeing a warning that they are entering "advanced mode". Like the console option that Electrum has.

Exactly (to the bolded part above).  Electrum isn't hard to use if you're just sending and receiving bitcoin--and certainly not if you're just holding coins long-term.  If the latter is the case, you don't even have to see the available features all that often unless you're checking your balance like a madman. 

I don't use 1/3 of the features Electrum offers, but I don't find their presence to be intrusive and I'm not sure why OP does, or why he thinks the wallet should be simplified.  I say as long as security remains strong, load it up with as many features as possible and keep them out of sight so advanced users will use it and less advanced ones (like me) will still feel comfortable doing the same.

And if you're just storing coins for the long term and using Electrum to do so, all you really need is either a piece of paper or metal to put the seed phrase on, and a place to store the addresses for receiving coins if that's necessary.  A hardware wallet, as others have suggested, doesn't even offer any additional benefits that I see.

[Charles-Tim]

And if you're just storing coins for the long term and using Electrum to do so, all you really need is either a piece of paper or metal to put the seed phrase on, and a place to store the addresses for receiving coins if that's necessary.  A hardware wallet, as others have suggested, doesn't even offer any additional benefits that I see.

This is much of a better option but also you can even decide to use a watch-only wallet along side the Electrum cold storage. This is the guide below which for ease reason, will require two devices, any or both Electrum on computer or mobile phone can be used as watch-only or cold storage.

https://electrum.readthedocs.io/en/latest/coldstorage.html

The master public key can generate addresses which is what watch-only wallet is using to generate addresses, but can not be used for spending but for only tracking transactions (the reason it is called watch-only) because no private key or seed phrase is imported (no spending). The watch-only wallet can be used to making unsigned transaction which would be transferred to the the cold storage wallet (in which the seed phrase that can generate the private key, or the private key itself is imported) through USB or QR (QR code recommended) to be signed on the cold storage device which is transferred back to the watch-only wallet through USB or QR code to broadcast the signed transaction.

But any of the option used, it is still truly highly important to backup seed phrasen (like on a paper or steel sheet), having like 2 to 3 backup in different locations.

Hardware wallet can be useful for people that want to use altcoins, but not necessary and not a better option for bitcoin users that go for cold storage like Electrum cold storage which is better. Also, unlike buying hardware wallet from the company that are selling it which can sell your data or in which the data can be breached by hackers like the Ledger Nano data leak, what was most painful during the leak were people calling (although speaking different language) people that bought Ledger Nano directly from the company that they will visit their home. That is threatening.

[Pmalek]

I don't use 1/3 of the features Electrum offers, but I don't find their presence to be intrusive and I'm not sure why OP does, or why he thinks the wallet should be simplified.

He says that more features (which also means more code) could create more possibilities to attack the software due to a vulnerability somewhere. In essence, his opinion is not wrong. The bigger the codebase is, the greater the chance that a mistake was made somewhere that was overlooked. His problem though is that he doesn't want people to question his own setup. But if he changed his own methods, there would be no reason for the Electrum developers to simplify their app and allow users to handpick what they want to install and what not. And even if they do, there is no guarantee that such a vulnerability wont be discovered in the most basic feature the wallet has.   

[Charles-Tim]

He says that more features (which also means more code) could create more possibilities to attack the software due to a vulnerability somewhere. In essence, his opinion is not wrong.

But there can be a building as high as Burj Khalifa but resistant to storm and heavy rainfall, but there are several low buildings that are not resistant to wind and heavy rain. There can be wallet with simple codes but vulnerable to attack just like you mentioned later while Electrum is still known to be safe.

I did not want to repeat myself, but I seek pardon. Electrum gives answers to it all. If he does not want to use what the public are using, according to what LoyceV posted before, Electrum source code is completely (100%) open source, he can slim it down. This is the only option left which I will not even advice him to do if he is not professional enough in the field for him not to make what is not known yet vulnerable to be easily vulnerable against attack.