Pages:
Author

Topic: Critical Security Release: Please update to Electrum 3.0.5 - page 4. (Read 956 times)

administrator
Activity: 5222
Merit: 13032
1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

That won't help.

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

There is no known way for them to steal your BTC in that case, though they can see your addresses/transactions and change your settings. I'm not sure (and maybe nobody yet fully knows) exactly how much damage they can do by changing your settings. So you should absolutely still update.

WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

That's normal, it means that his key isn't connected to your GPG trust graph. Typically you would --lsign-key the key after verifying it through some other method. PGP is kind of weird.
newbie
Activity: 58
Merit: 0
I believe Thomas is ecdsa on github..

https://github.com/spesmilo/electrum/issues/3374

Looks like mithrandi wrote the patch, maybe thats why the sig doesnt match


legendary
Activity: 3948
Merit: 3191
Leave no FUD unchallenged
Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.

It's also recommended that all Firefox (or other Mozilla-based browser) users install the 'NoScript' browser extension.  The website itself might look a little dated, but it's a good little plugin.  It does take a while to get used to, but the extra security is worth the small learning curve.  This will greatly reduce the general threat from malicious JavaScript while browsing online.  Every website you visit can potentially allow any number of other linked websites to run malicious code through your browser.  NoScript allows you to ensure that only the website you want to see can run code (and even then, only if you want it to) and block all the other, possibly dangerous, third party sites that might be linked through it.
legendary
Activity: 2632
Merit: 1023
keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins.

this looks good, doesn't it?

Code:
gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg
gpg: Signature made Sat Jan  6 23:59:14 2018 CET
gpg:                using RSA key 2BD5824B7F9470E6
gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
wait wait wait

so....its possible

[1] there is no error, and the site has been hacked to get everyone to down load the 3.0.4 which may have a backdoor in it.....

[2] or there is an error and the 3.0,4 site is hacked as well?

WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
legendary
Activity: 1498
Merit: 1117
keep calm, update and send the coins out. but is my hardware wallet really more secure than Electrum or any other wallet. bloody hell. sometimes it is really horrible to have bitcoins.

this looks good, doesn't it?

Code:
gpg --verify electrum-3.0.4.dmg.asc electrum-3.0.4.dmg
gpg: Signature made Sat Jan  6 23:59:14 2018 CET
gpg:                using RSA key 2BD5824B7F9470E6
gpg: requesting key 2BD5824B7F9470E6 from hkps server hkps.pool.sks-keyservers.net
gpg: key 2BD5824B7F9470E6: 90 signatures not checked due to missing keys
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2018-08-19
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
gpg:                 aka "ThomasV " [unknown]
gpg:                 aka "Thomas Voegtlin " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
newbie
Activity: 58
Merit: 0
Are firefox users protected regardless? I thought firefox quantum would not allow json exploits.
legendary
Activity: 2632
Merit: 1023
This is kinda .... disappointing ... always air gap! though.


I would like to know the history of how this was missed and included in the code!
hero member
Activity: 616
Merit: 603
I had a couple of questions regarding the type of attack using JSONRPC to fetch wallet details and to perform transactions:

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

Edit: I've raised a bug for TAILS to update their electrum version to 3.0.4 https://labs.riseup.net/code/issues/15151
legendary
Activity: 1918
Merit: 1012
★Nitrogensports.eu★
It is good that Theymos created an announcement ticker which flashes whenever somebody visits bitcointalk. Electrum is one of the most popular wallets among newbies, because of its light-weight nature. The headline news regarding internet security has really been bad this week - first the security flaws in intel chips and now this.
HCP
legendary
Activity: 2086
Merit: 4363
In theory, no more than any other vulnerability/virus/malware... if the system with the private keys/seed is running on an offline system, then the opportunity for "leaks" is pretty minimal... there ARE still attack vectors (compromised USB key etc), so it would probably be prudent to update.

Additionally, the "vulnerable" Electrum on your online computer, could still leak "private" data like your addresses/wallet info etc. (as opposed to "sensitive" data like the private keys/seed)
legendary
Activity: 3808
Merit: 1723
So if you are using cold storage this shouldn't be much of an issue?
legendary
Activity: 3710
Merit: 1586
A new release was made to mitigate the impact of this bug: https://github.com/spesmilo/electrum/issues/3374

See release notes here: https://github.com/spesmilo/electrum/compare/fdd10bfb6083%5E...063ec0a758dd

Edit: 3.0.5 has now been released which  fixes the bug.

Download from electrum.org/#download
Pages:
Jump to: