The official electrum wallet site has https, the fake one does not.
Is that possible, can a hacker host files to someone else's domain with http?
Verify PGP sigs!!!
Sorry for the stupid ques but how does one exactly do that with the downloads?
First question: nope, with or without SSL/TSL, you're connecting to the same website. He probably confused with a phishing someting like el3ctrum or electrun.
Second question, he probably meant the md5 hash for checksum, it's always said on the official website so that you can guarantee that you're downloading the right version.
NO, no no!!! I did NOT mean the md5. That can be written on the forged website.
I meant the
PGP signature. The PGP signature *HAD* to have come from the actual Electrum developers. THAT'S what you need to verify.
To the right of the link to download, you'll see another link that says "sig" or "signature", which will lead you to either a .asc file or a .sig file.
You then use PGP software (usually in the form of GPG) to verify that the signature is correct and from either the key:
9914864DFC33499C6CA2BEEA22453004695506FD
or the key
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
You need to learn how to use GPG for that. It's a pain in the ass to learn, but once you learn it, it is extremely useful. It's that same software people use to encrypt their e-mail. Google and find Youtube videos about setting it up. It takes time to learn, and that sucks, but you'll be glad you know it once you do.
The PGP signature, unlike a hash, can only be created by the developers. So even if the website is hacked and the hackers put up new md5's for their evil files, they still can't make fake PGP signatures.
