Author

Topic: Electrum's new Update Notification in action (Read 297 times)

legendary
Activity: 2758
Merit: 6830
February 15, 2019, 04:06:42 AM
#10
the point is, there is no message to modify. when you download the original/legit Electrum wallet there is only one hardcoded message with 1 hardcoded link in it. they can't be modified without changing Electrum code.
the bitcoin address and the message signing is used as an additional security measure so that if the website was hacked your wallet can't receive a valid message because they still wouldn't have the private key to that address.
Oh, I see it now. I thought they sent the messages from Electrum’s main server to the client (wallet), where is then checked with the hardcoded BTC address and shown if valid.

Code:
if self.is_newer(latest_version):
                self.heading_label.setText('

' + _("There is a new update available") + '

')
                url = "{u}".format(u=UpdateCheck.download_url)
                self.detail_label.setText(_("You can download the new version from {}.").format(url))
legendary
Activity: 3472
Merit: 10611
February 14, 2019, 11:14:12 PM
#9
Scrutinizing the displayed link, it appears to be legitimate.  I did not click the link, but instead opened my browser, and used my bookmark to navigate to the Electrum website.  Indeed the download page shows version 3.3.4 is available for download.

that link is hard coded as a constant into the application's source code so you have nothing to worry about. the only thing that is received from the internet is whether or not a new version can be found on the website.
Also, aren’t the messages signed with Electrum’s Bitcoin address hardcored in the wallet? Even if someone managed to modify the message before showing on your side, he wouldn’t pass the message signature verification.

the point is, there is no message to modify. when you download the original/legit Electrum wallet there is only one hardcoded message with 1 hardcoded link in it. they can't be modified without changing Electrum code.
the bitcoin address and the message signing is used as an additional security measure so that if the website was hacked your wallet can't receive a valid message because they still wouldn't have the private key to that address.

~
Now perhaps a means to white/black list servers...
you can already do something like that.
just go to your network window and deselect the automatic connection and then choose any server you prefer from the list of servers.
legendary
Activity: 2030
Merit: 1573
CLEAN non GPL infringing code made in Rust lang
February 14, 2019, 03:22:19 PM
#8
Electrum version 3.3.3 included a new feature that will inform you when there's a newer version of Electrum available.  Today a newer version was made available for download, and here's what to expect if you have the notification feature activated.  

The notification setting can be changed by going to Tools> Preferences> General.  You should see this:


I'm glad that this was made optional. If anything, this whole issue was caused by a nag message due to a wrong design decision to allow Electrum servers to send nag messages to Electrum clients. The fact that this nag screen also rendered html links to be clickable only made it worse, but it was a design mistake to allow the nagging in the first place.

Now perhaps a means to white/black list servers...
legendary
Activity: 3010
Merit: 3724
Join the world-leading crypto sportsbook NOW!
February 14, 2019, 07:07:55 AM
#7
Thanks @OP! I suppose this is another example of how an accident or crisis always leads to an improvement.

With Lucius here about "peopple acting irresponsibility". It's really less a problem of laziness but one of ignorance. Talked about it countless times before, how people I know still prefer NOT to have control of their own private keys even, or go through the trouble of setting up and then signing a transaction before broadcasting... much less verify signatures!

It's not they deliberately act recklessly with their money, they actually spend a lot of time looking for "safe" solutions and for plain reasons of plain ignorance can't see the individual responsibility required.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
February 14, 2019, 05:51:31 AM
#6
Let's face it, people are lazy.
Problem here is that 90% of the users don't verify the signatures...

Not only lazy, the problem is in ignorance also. To verify signature you need to know how to do it, and even though we have good tutorials regarding that, most do not want to even try. Actually, the whole problem was, and still is in fact that it is easy to trick users to download fake Electrum wallet. If wallet is downloaded from legit site, then it is probably 99% safe. Problem is in phishing sites, they look identical to the original, and for that verify signature is something what should become the standard procedure before installing any wallet.

If anyone is interested what is new in 3.3.4 :

Quote
# Release 3.3.4 - (February 13, 2019)

 * AppImage: we now also distribute self-contained binaries for x86_64
   Linux in the form of an AppImage (#5042). The Python interpreter,
   PyQt5, libsecp256k1, PyCryptodomex, zbar, hidapi/libusb (including
   hardware wallet libraries) are all bundled. Note that users of
   hw wallets still need to set udev rules themselves.
 * hw wallets: fix a regression during transaction signing that prompts
   the user too many times for confirmations (commit 2729909)
 * transactions now set nVersion to 2, to mimic Bitcoin Core
 * fix Qt bug that made all hw wallets unusable on Windows 8.1 (#4960)
 * fix bugs in wallet creation wizard that resulted in corrupted
   wallets being created in rare cases (#5082, #5057)
* fix compatibility with Qt 5.12 (#5109)

https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES
jr. member
Activity: 97
Merit: 3
February 14, 2019, 04:42:26 AM
#5
Scrutinizing the displayed link, it appears to be legitimate.  I did not click the link, but instead opened my browser, and used my bookmark to navigate to the Electrum website.  Indeed the download page shows version 3.3.4 is available for download.

that link is hard coded as a constant into the application's source code so you have nothing to worry about. the only thing that is received from the internet is whether or not a new version can be found on the website.
Also, aren’t the messages signed with Electrum’s Bitcoin address hardcored in the wallet? Even if someone managed to modify the message before showing on your side, he wouldn’t pass the message signature verification.

Let's face it, people are lazy.

Problem here is that 90% of the users don't verify the signatures...

My opinion people who have a large amount of money in Electrum and just download and install without any verification should not have had that amount of money in Electrum in the first place.

Me to got the pop-up warning and after checking signatures and consulting Electrum's only original website i decided not to update and backup all my wallets and re-installed the latest version from the original website. Nothing lost, no problem.

I don't get it why almost nobody does this.... is money that un-important to them?

@OP: thx for explaining.
legendary
Activity: 2758
Merit: 6830
February 14, 2019, 04:30:47 AM
#4
Scrutinizing the displayed link, it appears to be legitimate.  I did not click the link, but instead opened my browser, and used my bookmark to navigate to the Electrum website.  Indeed the download page shows version 3.3.4 is available for download.

that link is hard coded as a constant into the application's source code so you have nothing to worry about. the only thing that is received from the internet is whether or not a new version can be found on the website.
Also, aren’t the messages signed with Electrum’s Bitcoin address hardcored in the wallet? Even if someone managed to modify the message before showing on your side, he wouldn’t pass the message signature verification.
legendary
Activity: 3472
Merit: 10611
February 13, 2019, 10:41:37 PM
#3
Scrutinizing the displayed link, it appears to be legitimate.  I did not click the link, but instead opened my browser, and used my bookmark to navigate to the Electrum website.  Indeed the download page shows version 3.3.4 is available for download.

that link is hard coded as a constant into the application's source code so you have nothing to worry about. the only thing that is received from the internet is whether or not a new version can be found on the website.
newbie
Activity: 10
Merit: 1
February 13, 2019, 08:39:39 PM
#2
Thank you DireWolfM14, I appreciate your reply. I had 2.2BTC on the way to me and I was about to notify the sender to not send the BTC. They sent and I transferred to Trezor with no problem. I'm glad you explained that, I agree with you and was also hopeful also that 3.3.4 be skipped. Thanks.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
February 13, 2019, 08:22:46 PM
#1
Electrum version 3.3.3 included a new feature that will inform you when there's a newer version of Electrum available.  Today a newer version was made available for download, and here's what to expect if you have the notification feature activated.  

The notification setting can be changed by going to Tools> Preferences> General.  You should see this:




You'll see an update notification in the lower right of the main window.




After clicking on the notification in the lower right of the main panel, you should see this pop-up:




Scrutinizing the displayed link, it appears to be legitimate.  I did not click the link, but instead opened my browser, and used my bookmark to navigate to the Electrum website.  Indeed the download page shows version 3.3.4 is available for download.

I was hopeful the development team would skip version number 3.3.4.  That was the version number applied to the malicious software responsible for steeling BTC from many users at the end of 2018, early 2019.

I downloaded version 3.3.4, and checked the signature.  It is verified as being signed by Thomas Voegtlin.

Jump to: