Author

Topic: Electrum Hashes (Read 438 times)

legendary
Activity: 1624
Merit: 2481
January 02, 2019, 04:01:19 AM
#34
this is scary. does anybody know how to find honest servers?

If you want a server you can completely trust.. set up an own server.

If you don't want to do this, you'll have to trust a server which is controlled by someone you don't know.
Generally this isn't a problem since the server is only used to send transactions and to receive the current balance of your wallet.

If you never click on any links and never download any software, you are fine.
legendary
Activity: 3472
Merit: 10611
January 02, 2019, 12:14:59 AM
#33
Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes.

there is no point in doing that because if you want to be safe you still have to verify the PGP signature of the "hash file" so you still have to have the PGP public key of the developer, know how to verify signatures and have the application for doing that installed.
so why bother with hashes in first place?

not to mention that this model may lead to some lazy people skip the PGP signature verification step and stick to hash verification which is NOT enough for verifying authenticity of a downloaded file. hashes are only used for verifying "integrity" of a downloaded file and there is a big difference between the two concepts.
newbie
Activity: 26
Merit: 0
January 01, 2019, 01:09:56 PM
#32
Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.

can the devs adopt the Ubuntu hash model, that is- sign the hashes with PGP key. This would server both purposes.
legendary
Activity: 3472
Merit: 10611
December 31, 2018, 11:22:16 PM
#31
Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.

i think the confusion stems from the fact that linux distributions such as Ubuntu provide a hash (SHA1, MD5, and SHA256 has) of the .iso file but what people miss is that they are also signing the hashes with a PGP key which you have to verify.
i believe they are doing it that way because it may not be possible to sign a 1-2 GB file (the .iso) with a PGP. so they provide hashes the sign them with their key.
legendary
Activity: 3710
Merit: 1586
December 31, 2018, 04:40:21 AM
#30
Hashes are worthless because even fake sites can host hashes. Also if the official site gets hacked the hacker can replace the hashes too. This has actually happened in the past in the opensource world with linux mint. A digital signature can't be forged though so that's why digital signatures are provided.
newbie
Activity: 26
Merit: 0
December 31, 2018, 02:50:11 AM
#29
^ This. Exactly.

At the very least, hashes should be posted on the website or the release.txt
How hard is it? I dont think it will take more then 5 minutes.
legendary
Activity: 3808
Merit: 1723
December 31, 2018, 02:10:42 AM
#28
I am actually surprised that the developer doesn't post the hashes for the executables on his website or in the Electrum section of Bitcointalk.

Because I've had issues learning how to verify his signature within Windows. The linux method was easy because you just copy and paste a few commands but getting that windows PGP to verify the signature took a few hours to do correctly.

I guess one reason why could be that with every new updates he would need to update the hashes each and every time, but doing it the PubKey PGP method as he does now, he doesn't need to.
HCP
legendary
Activity: 2086
Merit: 4363
December 28, 2018, 07:47:58 PM
#27

PLEASE do something about this issue & at the very least run a "Official Electrum Server".
I don't see any point in that... you're still having to trust a third party... if you REALLY want to trust the Electrum server you connect to, you should set up your own full node and run your own Electrum server.


Quote
The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys.
Personally, I think the issue is being blown out of proportion a little bit...

Electrum is still secure... this was really just social engineering by abusing a feature within Electrum. It still required that the user download, install and run malware.  It's not really that different to buying Google advertising and setting up a fake Electrum website and tricking users into downloading your fake Electrum.

I only ever download Electrum by going to electrum.org, downloading the executable... and then checking the file signatures are legit. That is probably the most crucial step!
newbie
Activity: 26
Merit: 0
December 28, 2018, 06:21:27 AM
#26
Request for future- Electrum Technologies GmbH and devs

PLEASE do something about this issue & at the very least run a "Official Electrum Server".
The current scenario is scary and you never know, what advanced future attacks are brewing by the bad guys.

Thanks.

legendary
Activity: 1246
Merit: 1029
December 28, 2018, 06:12:39 AM
#25
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well?

Former -> You should be fine by connecting to any of those listed above.
Latter -> No, there's nothing as an Official electrum server.
newbie
Activity: 26
Merit: 0
December 28, 2018, 05:28:58 AM
#24
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.

Yes guys, any more honest servers out there? is there a "Official Electrum Server" as well?
jr. member
Activity: 49
Merit: 23
December 28, 2018, 04:00:19 AM
#23
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

Yes interested in this as well.
legendary
Activity: 3472
Merit: 10611
December 28, 2018, 01:20:57 AM
#22
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?

just FYI, there is no risk in connecting to any of those servers with your "real" Electrum wallet. they are in fact Electrum servers and they can't do anything to harm you. the only thing they do is that when you send a transaction they ask you to "click a link" and "download their malicious software". so don't click that link!

other than that, as long as you know this, you don't have to worry about what server you connect to.

but if you are so worried about it, you can not blacklist a server but you can force Electrum to always connect to one server. go to your network window and switch to network tab, deselect automatic connection and choose a server to connect to manually.
legendary
Activity: 1246
Merit: 1029
December 28, 2018, 01:17:46 AM
#21
got it. thanks.

any other server guys?

I believe I've seen these servers for long:

Code:
VPS.hsmiths.com
electrum.anduck.net
electrum.be
electrumx.ml
139.162.14.142
185.64.116.15
newbie
Activity: 26
Merit: 0
December 27, 2018, 03:18:46 PM
#20
got it. thanks.

any other server guys?
HCP
legendary
Activity: 2086
Merit: 4363
December 27, 2018, 03:17:25 PM
#19
how is it not already sorted? i guess, electrum is the one of the oldest wallet out there.
Fixing things "properly" takes time... the worst thing the devs could do is rush a "fix" that hasn't been properly tested that then turns out to make things worse!


Quote
this is scary. does anybody know how to find honest servers?
There is no danger if you do not download and run the malicious software.

If you connect to a server and it comes up with the error... connect to a different server. At worst all they can do is log your IP and addresses... but ANY Electrum server can already do this. They can't steal your BTC just by connecting to a "bad" server.

electrum.hsmiths.com is one of the "oldest" Electrum servers that I know of... whether or not it is any more trustworthy than any other Electrum server, I have no way of knowing/confirming.

Just pick one from the server list that IS NOT in the list posted above...
newbie
Activity: 26
Merit: 0
December 27, 2018, 03:08:50 PM
#18
how is it not already sorted? i guess, electrum is the one of the oldest wallet out there.

this is scary. does anybody know how to find honest servers?
newbie
Activity: 26
Merit: 0
December 27, 2018, 02:45:10 PM
#17
what if they are brewing an advanced attack!

is there a list of honest servers i can manually connect to?
legendary
Activity: 2758
Merit: 6830
December 27, 2018, 02:42:35 PM
#16
so i need to be watching out for these servers. is it humanly possible to be constantly on watchout while being on Auto connect??!!

i thought electrum would be easy. guess i was wrong.
You could just select a trusted server instead of using Auto connect.

AFAIK all the server could do is block you from sending transactions (by giving it the error) and show that fake message.
newbie
Activity: 26
Merit: 0
December 27, 2018, 02:40:23 PM
#15
so i need to be watching out for these servers. is it humanly possible to be constantly on watchout while being on Auto connect??!!

i thought electrum would be easy. guess i was wrong.
legendary
Activity: 2758
Merit: 6830
December 27, 2018, 02:38:54 PM
#14
how do i know, i am not connected to an attackers server? i have selected Auto connect.
From the main issue, those are the malicious servers (there could be others):

Code:
Attacker servers: [
  'gregoire12.mldlab-works.space:50002:s',
  'readonly.23734430190.pro:50002:s',
  'wireless12.bitquantum.space:50002:s',
  'superuser.23734430190.pro:50002:s',
  'pacslinkip12.krypto-familar.fun:50002:s',
  'topicres.imaginarycoin.info:50002:s',
  'wlseuser12.bitcoinplug.website:50002:s',
  'operatns.imaginarycoin.info:50002:s',
  'superman.cryptoplayer.fun:50002:s',
  'lucent01.23734430190.pro:50002:s',
  'qtmhhttp12.mldlab-works.space:50002:s',
  'plmimservice.bitcoinplug.website:50002:s',
  'username.cryptoplayer.fun:50002:s',
  'qlpinstall.krypto-familar.fun:50002:s',
  'adminstat.imaginarycoin.info:50002:s',
  'lessonuser2.cryptoplayer.fun:50002:s',
  'utilities12.pebwindkraft.space:50002:s',
  'openspirit.cryptoplayer.fun:50002:s',
  'qautprof12.coinucopiaspace.xyz:50002:s',
  'prodcics12.imaginarycoin.info:50002:s',
  'vcoadmin.23734430190.pro:50002:s',
  'siteminder.23734430190.pro:50002:s',
  'videouser.bitcoinplug.website:50002:s',
  'anonymous.bitcoinplug.website:50002:s',
  'oraprobe.23734430190.pro:50002:s'
]
Source: https://github.com/spesmilo/electrum/issues/4968#issuecomment-450046206

You can see in which server you are by going to Tools -> Network.
newbie
Activity: 26
Merit: 0
December 27, 2018, 02:28:32 PM
#13
how do i know, i am not connected to an attackers server? i have selected Auto connect.
HCP
legendary
Activity: 2086
Merit: 4363
December 27, 2018, 02:25:52 PM
#12
my thoughts as well. which server is the official server to connect to?
There is no "official" server... there are just "public" servers available, that anyone is free to setup and run... If you are attempting to avoid the Electrum "fake error message" attack, it doesn't matter which server you connect to, they can't hack your wallet unless you download the fake version of Electrum.

According to the above posts, your version of Electrum is legit, so just connect to any Electrum server and try to send your transaction. If you get the fake error message:


IGNORE IT... DO NOT CLICK ON THE LINK!

Then go and change the server to something else and try again.
newbie
Activity: 26
Merit: 0
December 27, 2018, 02:21:43 PM
#11
thanks guys. love you all.
legendary
Activity: 1246
Merit: 1029
December 27, 2018, 02:20:40 PM
#10
my thoughts as well. which server is the official server to connect to?

Just read through this GitHub issue page (https://github.com/spesmilo/electrum/issues/4968). You will find some valuable information.

Also, as a rule of thumb, do not click on the popup, in case one appears. The latest version is Electrum 3.3.2, stick to it whatsoever for now.
newbie
Activity: 26
Merit: 0
December 27, 2018, 02:10:32 PM
#9
my thoughts as well. which server is the official server to connect to?
legendary
Activity: 2758
Merit: 6830
December 27, 2018, 02:06:51 PM
#8
I dont know why, but a hash search on virus total is showing up scary results (trojans, malware!!)
here is the link:-

https://www.virustotal.com/#/file/22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be/detection
It's just a false positive.

The file is even signed by Electrum Technologies GmbH.
newbie
Activity: 26
Merit: 0
December 27, 2018, 02:02:32 PM
#7
Cool! So these matches mine hashes. Thanks.

I dont know why, but a hash search on virus total is showing up scary results (trojans, malware!!)
here is the link:-

https://www.virustotal.com/#/file/22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be/detection
legendary
Activity: 1246
Merit: 1029
December 27, 2018, 02:01:06 PM
#6
I too used the inbuilt certUtil command and it returns the following hashes which match with your hashes.

Filename: electrum-3.3.2-portable.exe

MD5:
Code:
5e9bf05766292e74ebfb08baf15888a2

SHA1:
Code:
312afce51cbd22e8e6a93cc5611e03c14995172f

SHA256:
Code:
22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be

SHA384:
Code:
9fa3af5e26d8dd9d0311bfacd73c8b075bec199fc7cf8785f927603cf6828dac9982584a1e11c1327470f40f7908a147

SHA512:
Code:
ed972ab31f54092a4e31536d174dd2db7183d3e0a15fdad8ff85e2f9d4cb27da00075dc4a443f4a508f3fa450c43683c0b8b0f69bd23f787a337ef486890e7c8

MD2:
Code:
91999e519d48200f4e66b3c8444aee42

MD4:
Code:
04c1107f659a6dbfeb713a98015a7410
legendary
Activity: 2758
Merit: 6830
December 27, 2018, 02:00:52 PM
#5
Hey TryNinja, thanks for the reply.

i use a windows system & cant do these commands.
also- i dont want to install additional softwares like gpg4win etc.

what i can do is, use the inbuilt certUtil in Windows cmd to do sha256, sha1, md5 hashes.

it would be truly great, if you please do a quick hash of the file and post below. thanks.   Smiley
Well, you shouldn't completely trust me, but I did get the hash of my electrum-3.3.2-portable.exe file downloaded from Electrum.org;

SHA256
Code:
22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be

SHA1
Code:
312afce51cbd22e8e6a93cc5611e03c14995172f

MD5
Code:
5e9bf05766292e74ebfb08baf15888a2

TLDR: They match.
newbie
Activity: 26
Merit: 0
December 27, 2018, 01:53:35 PM
#4
Hey TryNinja, thanks for the reply.

i use a windows system & cant do these commands.
also- i dont want to install additional softwares like gpg4win etc.

what i can do is, use the inbuilt certUtil in Windows cmd to do sha256, sha1, md5 hashes.

it would be truly great, if you please do a quick hash of the file and post below. thanks.   Smiley
legendary
Activity: 2758
Merit: 6830
December 27, 2018, 01:48:43 PM
#3
It's probably better if you verify the PGP Signatures with ThomasV's pubkey.

1. Import ThomasV's pubkey:
Code:
gpg --keyserver pool.sks-keyservers.net --recv-keys 0x2BD5824B7F9470E6

2. Verify if it's imported:
Code:
gpg --fingerprint 0x2BD5824B7F9470E6

3. Download the signature file on the website.

4. Verify with:
Code:
gpg --verify signatureFile.asc electrum-3.3.2-portable.exe
newbie
Activity: 26
Merit: 0
December 27, 2018, 01:33:32 PM
#2
would be great, if somebody answers. i need to do some high value tranx.  Thanks.  Smiley
newbie
Activity: 26
Merit: 0
December 27, 2018, 11:38:13 AM
#1
Guys,i need hash confirmation of latest Electrum release:-
electrum-3.3.2-portable.exe

Hashes i have are:-

SHA256
22489e88966a9939cf34a94878f7ddf1dad140cce28ebe5339af6212afa611be

SHA1
312afce51cbd22e8e6a93cc5611e03c14995172f

MD5
5e9bf05766292e74ebfb08baf15888a2

Please confirm,if i have the correct file and hashes.  Smiley
Jump to: