Electrum clients older than 3.3 can no longer connect to public electrum servers

HCP

legendary

Activity: 2086

Merit: 4369

Quote from: Abdussamad on March 17, 2019, 06:21:51 AM

It's a case of damned if you do and damned if you don't! People who lost money to the scam were cursing the developers and threatening to sue them so they had to do something. Now people are complaining that they have to update electrum!

I think that the old quote from John Lydgate sums it up quite nicely...

Quote

“You can please some of the people all of the time, you can please all of the people some of the time, but you can’t please all of the people all of the time”.”
― John Lydgate

I can certainly understand why the devs chose this approach (exploiting a DoS vulnerability)... not sure I 100% agree with it, but I honestly can't think of anything else they could realistically have done... they'd already advertised about the previous "error message exploit" here, on twitter, on the official website etc... and still, weeks after the initial incident and patch, there are still users getting caught out. Undecided

Abdussamad

legendary

Activity: 3766

Merit: 1601

Quote from: Artemis3 on March 16, 2019, 08:20:30 PM

Quote from: bL4nkcode on March 15, 2019, 04:04:22 AM

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

It's a case of damned if you do and damned if you don't! People who lost money to the scam were cursing the developers and threatening to sue them so they had to do something. Now people are complaining that they have to update electrum!

Note that it's not just the phishing bug. The DoS bug they are exploiting is also there and there's a wallet file corruption bug that was fixed recently as well.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: TryNinja on March 16, 2019, 08:24:35 PM

Quote from: Artemis3 on March 16, 2019, 08:20:30 PM

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

Yes. If they started doing this from day one, the damages would have been much smaller.

as far as i can tell there is no bug in the server side to be used to cause a crash anyways. this DoS attack that is being discussed here is on the client side and it was also found recently so it couldn't be used from early days either.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: Artemis3 on March 16, 2019, 08:20:30 PM

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.

Unless people start falling for the scam (which actually happened and resulted in the loss of hundreds - if not thousands - of BTC). Just because you know this is a scam, doesn't mean others will.

Quote from: Artemis3 on March 16, 2019, 08:20:30 PM

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

Yes. If they started doing this from day one, the damages would have been much smaller.

Artemis3

legendary

Activity: 2030

Merit: 1573

CLEAN non GPL infringing code made in Rust lang

Quote from: bL4nkcode on March 15, 2019, 04:04:22 AM

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672

I think this was rude for something that was nothing more than a little nag you could just ignore and go to another server.

Last i used 3.2 i had no issues ignoring the stupid phishing message and just switch servers.

You are telling me that crashing the client wallet is better? The wallet is not even at fault, why don't you find and crash the rogue Electrum servers instead?

Abdussamad

legendary

Activity: 3766

Merit: 1601

idk. you can ask them on irc.

i know auto updates were rejected by bitcoin core because in the event of a compromise of their servers every user could become infected with malware.

DireWolfM14

copper member

Activity: 2338

Merit: 4543

Quote from: Abdussamad on March 15, 2019, 08:40:57 AM

edit: the upgrade is not automatic. you have to download and install the latest version from electrum.org.

Wouldn't it be more secure to process updates through the software it's self, rather than rely on users going to the right website for download checking signatures? Is that something the dev team is planning for future releases?

Abdussamad

legendary

Activity: 3766

Merit: 1601

Quote from: nc50lc on March 15, 2019, 09:43:31 PM

This "~~fix~~bandage" is much much better than the "Good Messages" from legitimate servers which scared the heck out of the newbies.

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.
Or is it (are there) something else than Denial of Service?

Yes if the first server they connect to is a bad one or an unpatched good one their clients will not crash. Also if they are using versions 3.3 - 3.3.2 they will still see the phishing messages if they are connected to a bad server and attempt to spend their bitcoins. However, with version 3.3.2 the message is not rendered in rich text.

Once legit servers deploy this it'll greatly reduce the room attackers have to operate.

pooya87

legendary

Activity: 3472

Merit: 10611

is it just me or these days it seems like a new rather serious issue (bug) is being found in Electrum every week or so?!

Quote from: nc50lc on March 15, 2019, 09:43:31 PM

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.

this was more of a bug that is being exploited and when they do it "kills" the network instance of your application and as far as i can understand it can no longer do anything else let alone connect to another server.

nc50lc

legendary

Activity: 2646

Merit: 6681

Self-proclaimed Genius

This "~~fix~~bandage" is much much better than the "Good Messages" from legitimate servers which scared the heck out of the newbies.

But if it is DOS, it is still possible for the "uninformed" to connect to those bad servers depending on their network connection and the number of the "good" attackers.
Or is it (are there) something else than Denial of Service?

Abdussamad

legendary

Activity: 3766

Merit: 1601

old versions are unsafe so they are deploying this "fix" on good electrum servers. it means if you run an old version and happen to connect to a good server electrum will crash forcing you to seek help. when you do we will tell you to upgrade. so that's what you should do

it's for your own good!

edit: the upgrade is not automatic. you have to download and install the latest version from electrum.org.

G3nijalac

member

Activity: 120

Merit: 10

so if I am using a version older than 3.3 can I still manualy connect to a server?

edit: "We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages." does this mean if i open my old version electrum it will automaticaly be forced to upgrade to the latest safe version?

Abdussamad

legendary

Activity: 3766

Merit: 1601

It'll take time for good servers to roll out this new code. Once they do the scammers will have only one avenue left - they have to get you to connect to their server first!

Lucius

legendary

Activity: 3234

Merit: 5637

Blackjack.fun-Free Raffle-Join&Win $50🎲

This is finally something that will solve the problem with phishing messages, but unfortunately I think they waited too long to prevent hackers in their dirty game. Is this something what could have been done earlier, how complicated it is from the technical side to prevent old versions of Electrum to connect to public Electrum servers?

hatshepsut93, I use Electrum yesterday and I also notice that it took much longer time to connect to server. I am not sure how you still can connect with old version, probably this blocking is not working 100%.

hatshepsut93

legendary

Activity: 3038

Merit: 2162

I've opened my watch-only wallet today and freaked out a little bit when it failed to connect to multiple servers, but eventually I managed to connect to a server. So, it seems like the DOS is not total. Still, it's good to know that it's a white hat DOS, and even though I don't use Electrum for sending transactions on online machines, I'm still going to upgrade soon. Thanks for sharing!

bL4nkcode

copper member

Activity: 2142

Merit: 1305

Limited in number. Limitless in potential.

Electrum clients older than 3.3 can no longer connect to public electrum servers. We started exploiting a DOS vulnerability in those clients, in order to force their users to upgrade, and to prevent exposure to phishing messages. Linux Tail users should download our Appimage.

https://twitter.com/ElectrumWallet/status/1106479573917724672

Topic: Electrum clients older than 3.3 can no longer connect to public electrum servers (Read 332 times)