Pages:
Author

Topic: Electrum Hashes (Read 432 times)

legendary
Activity: 1624
Merit: 2481
January 02, 2019, 04:01:19 AM
#34
this is scary. does anybody know how to find honest servers?

If you want a server you can completely trust.. set up an own server.

If you don't want to do this, you'll have to trust a server which is controlled by someone you don't know.
Generally this isn't a problem since the server is only used to send transactions and to receive the current balance of your wallet.

If you never click on any links and never download any software, you are fine.
legendary
Activity: 3472
Merit: 10611
January 02, 2019, 12:14:59 AM
#33
Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes.

there is no point in doing that because if you want to be safe you still have to verify the PGP signature of the "hash file" so you still have to have the PGP public key of the developer, know how to verify signatures and have the application for doing that installed.
so why bother with hashes in first place?

not to mention that this model may lead to some lazy people skip the PGP signature verification step and stick to hash verification which is NOT enough for verifying authenticity of a downloaded file. hashes are only used for verifying "integrity" of a downloaded file and there is a big difference between the two concepts.
newbie
Activity: 26
Merit: 0
January 01, 2019, 01:09:56 PM
#32
Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes.
legendary
Activity: 3472
Merit: 10611
December 31, 2018, 11:22:16 PM
#31
Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.
legendary
Activity: 3696
Merit: 1584
December 31, 2018, 04:40:21 AM
#30
Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.
newbie
Activity: 26
Merit: 0
December 31, 2018, 02:50:11 AM
#29
^ This. Exactly.

At the very least, hashes should be posted on the website or the release.txt
How hard is it? I dont think it will take more then 5 minutes.
legendary
Activity: 3808
Merit: 1723
December 31, 2018, 02:10:42 AM
#28
I am actually surprised that the developer doesn't post the hashes for the executables on his website or in the Electrum section of Bitcointalk.

Because I've had issues learning how to verify his signature within Windows. The linux method was easy because you just copy and paste a few commands but getting that windows PGP to verify the signature took a few hours to do correctly.

I guess one reason why could be that with every new updates he would need to update the hashes each and every time, but doing it the PubKey PGP method as he does now, he doesn't need to.
HCP
legendary
Activity: 2086
Merit: 4361
December 28, 2018, 07:47:58 PM
#27

PLEASE do something about this issue & at the very least run a "Official Electrum Server".
I don't see any point in that... you're still having to trust a third party... if you REALLY want to trust the Electrum server you connect to, you should set up your own full node and run your own Electrum server.


Quote
The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys.
Personally, I think the issue is being blown out of proportion a little bit...

Electrum is still secure... this was really just social engineering by abusing a feature within Electrum. It still required that the user download, install and run malware.  It's not really that different to buying Google advertising and setting up a fake Electrum website and tricking users into downloading your fake Electrum.

I only ever download Electrum by going to electrum.org, downloading the executable... and then checking the file signatures are legit. That is probably the most crucial step!
newbie
Activity: 26
Merit: 0
December 28, 2018, 06:21:27 AM
#26
Request for future- Electrum Technologies GmbH and devs

PLEASE do something about this issue & at the very least run a "Official Electrum Server".
The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys.

Thanks.

legendary
Activity: 1246
Merit: 1029
December 28, 2018, 06:12:39 AM
#25
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well?

Former -> You should be fine by connecting to any of those listed above.
Latter -> No, there's nothing as an Official electrum server.
newbie
Activity: 26
Merit: 0
December 28, 2018, 05:28:58 AM
#24
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well?
jr. member
Activity: 49
Merit: 23
December 28, 2018, 04:00:19 AM
#23
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.
legendary
Activity: 3472
Merit: 10611
December 28, 2018, 01:20:57 AM
#22
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

just FYI, there is no risk in connecting to any of those servers with your "real" Electrum wallet. they are in fact Electrum servers and they can't do anything to harm you. the only thing they do is that when you send a transaction they ask you to "click a link" and "download their malicious software". so don't click that link!

other than that, as long as you know this, you don't have to worry about what server you connect to.

but if you are so worried about it, you can not blacklist a server but you can force Electrum to always connect to one server. go to your network window and switch to network tab, deselect automatic connection and choose a server to connect to manually.
legendary
Activity: 1246
Merit: 1029
December 28, 2018, 01:17:46 AM
#21
got it. thanks.

any other server guys?

I believe I've seen these servers for long:

Code:
VPS.hsmiths.com
electrum.anduck.net
electrum.be
electrumx.ml
139.162.14.142
185.64.116.15
newbie
Activity: 26
Merit: 0
December 27, 2018, 03:18:46 PM
#20
got it. thanks.

any other server guys?
HCP
legendary
Activity: 2086
Merit: 4361
December 27, 2018, 03:17:25 PM
#19
how is it not already sorted? i guess, electrum is the one of the oldest wallet out there.
Fixing things "properly" takes time... the worst thing the devs could do is rush a "fix" that hasn't been properly tested that then turns out to make things worse!


Quote
this is scary. does anybody know how to find honest servers?
There is no danger if you do not download and run the malicious software.

If you connect to a server and it comes up with the error... connect to a different server. At worst all they can do is log your IP and addresses... but ANY Electrum server can already do this. They can't steal your BTC just by connecting to a "bad" server.

electrum.hsmiths.com is one of the "oldest" Electrum servers that I know of... whether or not it is any more trustworthy than any other Electrum server, I have no way of knowing/confirming.

Just pick one from the server list that IS NOT in the list posted above...
newbie
Activity: 26
Merit: 0
December 27, 2018, 03:08:50 PM
#18
how is it not already sorted? i guess, electrum is the one of the oldest wallet out there.

this is scary. does anybody know how to find honest servers?
newbie
Activity: 26
Merit: 0
December 27, 2018, 02:45:10 PM
#17
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?
legendary
Activity: 2758
Merit: 6830
December 27, 2018, 02:42:35 PM
#16
so i need to be watching out for these servers. is it humanly possible to be constantly on watchout while being on Auto connect??!!

i thought electrum would be easy. guess i was wrong.
You could just select a trusted server instead of using Auto connect.

AFAIK all the server could do is block you from sending transactions (by giving it the error) and show that fake message.
newbie
Activity: 26
Merit: 0
December 27, 2018, 02:40:23 PM
#15
so i need to be watching out for these servers. is it humanly possible to be constantly on watchout while being on Auto connect??!!

i thought electrum would be easy. guess i was wrong.
Pages:
Jump to: