Pages:
Author

Topic: How to find real Electrum? (Read 18061 times)

brand new
Activity: 0
Merit: 0
February 12, 2019, 01:02:31 AM
#39
Even if you verify integrity of Electrum application by compare it's hashes from developer, you still need to trust the software to compute hash of Electrum application to implement hash function correctly and don't include malicious code (steal user data, send all hash activity, etc.)

So you're forced to trust some of the application you use

simple i just upload to virustotal.com. I dont use other softwares
brand new
Activity: 0
Merit: 0
February 12, 2019, 12:34:33 AM
#37
i dont know how to build so i give up. I must use prebuild binary file. So to use electrum i have to trust other softwares?
Yes.

Just like the OS that you're running... unless you're compiling your own OS from source code and have personally verified and checked all the code Tongue

This is a very "chicken and egg" problem... the (less than ideal) "solution" is that unless you have a LOT of technical ability and knowledge... then, at some point, you have to trust something/someone.

uh instead just trust electrum with its hashes, i have to trust other softwares too. Why i have to trust other softwares if i just trust electrum?
brand new
Activity: 0
Merit: 0
February 11, 2019, 12:00:22 PM
#35
Wtf dude? I literally just linked you to a page where there are plenty of ways of verifying your gpg4win file. At this point I’m starting to wonder if you’re just troling me.

Again: https://www.gpg4win.org/package-integrity.html
yes i see your link but i just know verify by hashes. Should i verify by hashes?


i dont know how to build so i give up. I must use prebuild binary file. So to use electrum i have to trust other softwares?
brand new
Activity: 0
Merit: 0
February 11, 2019, 11:49:12 AM
#33
< insert same link here >

how to verify gpg4win?

Yes. You can find its source in their download page.

how to build gpg4win from source code?
brand new
Activity: 0
Merit: 0
February 11, 2019, 11:32:28 AM
#31
gpg4win has a signature to verify or how to verify gpg4win?
https://www.gpg4win.org/package-integrity.html

how to verify gpg4win? gpg4win is opensource?
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
February 12, 2019, 01:46:03 AM
#28
Even if you verify integrity of Electrum application by compare it's hashes from developer, you still need to trust the software to compute hash of Electrum application to implement hash function correctly and don't include malicious code (steal user data, send all hash activity, etc.)

So you're forced to trust some of the application you use

simple i just upload to virustotal.com. I dont use other softwares


So you trust virustotal and all anti-virus used by virustotal which are closed-source, but you hesitate to trust open-source software? This is contradictive.
legendary
Activity: 2758
Merit: 6830
February 12, 2019, 04:05:20 AM
#27
So you trust virustotal and all anti-virus used by virustotal which are closed-source, but you hesitate to trust open-source software? This is contradictive.

stupid Legendary. I just trust their SHA256

First of all, no one here is obligated to answer or help you, so stop with this “stupid Legendary” thing. Do you not know the word respect?

Second, do whatever you want. ThomasV isn’t publishing hashes of the files any time soon and there is nothing you can do about it. Either stop with this bullshit and verify the signatures yourself, or use any other wallet that publishes hashes. Easy.

Now goodbye. This stupid legendary here already gave you way too much attention; and my patient is over.
HCP
legendary
Activity: 2086
Merit: 4361
February 12, 2019, 12:06:38 AM
#26
i dont know how to build so i give up. I must use prebuild binary file. So to use electrum i have to trust other softwares?
Yes.

Just like the OS that you're running... unless you're compiling your own OS from source code and have personally verified and checked all the code Tongue

This is a very "chicken and egg" problem... the (less than ideal) "solution" is that unless you have a LOT of technical ability and knowledge... then, at some point, you have to trust something/someone.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:52:33 AM
#25
how to verify gpg4win?
Wtf dude? I literally just linked you to a page where there are plenty of ways of verifying your gpg4win file. At this point I’m starting to wonder if you’re just troling me.

Again: https://www.gpg4win.org/package-integrity.html

Quote
how to build gpg4win from source code?
https://github.com/gpg/gpg4win/blob/master/README
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:43:10 AM
#24
gpg4win has a signature to verify or how to verify gpg4win?
https://www.gpg4win.org/package-integrity.html
how to verify gpg4win?
< insert same link here >

Quote
gpg4win is opensource?
Yes. You can find its source in their download page.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:27:31 AM
#23
gpg4win has a signature to verify or how to verify gpg4win?
https://www.gpg4win.org/package-integrity.html
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:18:27 AM
#22
Look, I’m trying to remain patient and explain everything to you. But for this, you will HAVE to read and understand what I’m trying to say to you.

AGAIN: You download ThomasV’s key ONCE from a well known source, like ELECTRUM.ORG, which is real and not a fake website. Then, everytime you need to download a new update from any website, you use that trusted key to verify the unknown file (you know the PGP key is trusted because you know for a fact that you downloaded it from the real website).

YOU DONT DOWNLOAD A NEW KEY EVERYTIME ALONG WITH THE FAKE SOFTWARE.

Yes I’m trying to remain patient and ask everything to you too
But in case i dont have that key and i go to a fake website?
Then you get scammed. Wink

That’s exactly my point. You SHOULD have ThomasV real PGP key before trying to download anything. Then, you verify the file and if the signature is valid, you are safe to use it.

Take some time to get his real PGP key once and everytime you download a new update, you can verify it.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:05:42 AM
#21
If you knew the answer, then why are you askig for my source for ThomasV key? If you go to Electrum.org and go to the Download page, there is a link to the same URL I posted above. Both electrum.org and the Electrum github I posted above are legit; both of them lead their users to the same PGP key, which is real.

Yes, bad servers give fake github repos with fake wallets, but I linked you THE REAL GitHub repo, which again, you can confirm either by checking it in the electrum.org website or in any other trusted source.

Why can’t you just do your own goddam research to confirm that what I’m saying is true?

how to know that PGP key is real?
The fake sites have signatures for the fake versions so there is no point in verifying signatures

Look, I’m trying to remain patient and explain everything to you. But for this, you will HAVE to read and understand what I’m trying to say to you.

AGAIN: You download ThomasV’s key ONCE from a well known source, like ELECTRUM.ORG, which is real and not a fake website. Then, everytime you need to download a new update from any website, you use that trusted key to verify the unknown file (you know the PGP key is trusted because you know for a fact that you downloaded it from the real website).

YOU DONT DOWNLOAD A NEW KEY EVERYTIME ALONG WITH THE FAKE SOFTWARE FROM THE FAKE WEBSITE.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 10:54:02 AM
#20
Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

where is well known PGP key?


what is this? Where did you have this link?
Go to Electrum’s real GitHub repo.

Look for it: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

It’s the same as the link above.

why not from electrum.org? You said just download electrum from electrum.org but why i have to download a file from github.com? Bad servers ask users download fake electrum update from github.com too

If you knew the answer, then why are you askig for my source for ThomasV key? If you go to Electrum.org and go to the Download page, there is a link to the same URL I posted above. Both electrum.org and the Electrum github I posted above are legit; both of them lead their users to the same PGP key, which is real.

Yes, bad servers give fake github repos with fake wallets, but I linked you THE REAL GitHub repo, which again, you can confirm either by checking it in the electrum.org website or in any other trusted source.

Why can’t you just do your own goddam research to confirm that what I’m saying is true?
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 10:42:39 AM
#19
Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

where is well known PGP key?


what is this? Where did you have this link?
Go to Electrum’s real GitHub repo.

Look for it: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

It’s the same as the link above.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 10:08:28 AM
#18
The fake sites have hashes for the fake versions so there is no point in verifying hashes

The fake sites have signatures for the fake versions so there is no point in verifying signatures
Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

[1] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
legendary
Activity: 1624
Merit: 2481
February 11, 2019, 08:17:41 AM
#17
But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing

There is no need for this bullshit.

Just VERIFY THE SIGNATURE.

There is absolutely NO reason for checking the hashes. All files are signed by TomasV's PGP key.
Signatures should always be MORE TRUSTED than hashes compared with hashes posted on a website / forum.

There are quite a few tutorials available on how to get the PGP key and how to verify the signature.
If you want to be sure that you got the original electrum (and not a fake / malicious version), verify the signature or build it yourself from source.
legendary
Activity: 3682
Merit: 1580
February 11, 2019, 04:02:21 AM
#16
But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing

This would be a pointless exercise. Do you even know how people end up installing fake electrum versions? Most of them google electrum and follow a link in an ad to the fake electrum site. Others are falling prey to the phishing messages in old electrum versions. Non of these people frequent this or any other community forum. If they did they would know better and would only download from electrum.org.

Now consider what happens when people who have fallen prey to fake versions come here and complain. They never visited this forum before but when they need help they seek it out. What are we to tell them? Would it serve any purpose to ask them whether they verified the hashes? The fake sites have hashes for the fake versions so there is no point in verifying hashes. As HCP pointed out hashes alone do not let you authenticate the source of the software. A digital signature of the maintainer is required for that.

Why are you and other users so resistant to learning how to verify digital signatures? It only takes a few minutes to learn how to do this. Here's a guide if you're interested.
newbie
Activity: 11
Merit: 0
February 10, 2019, 12:33:16 PM
#15
yes, I know about sig https://bitcointalksearch.org/topic/how-to-verify-your-electrum-windows-linux-mac-5105901
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.

Electrum doesn't publish hashes because even fake websites can publish hashes. Digital signatures OTOH cannot be faked. So take the time to learn to verify the digital signature. It'll serve you well in the future.

electrum.org is the correct site btw.
But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing
legendary
Activity: 3682
Merit: 1580
February 07, 2019, 09:51:02 PM
#14
yes, I know about sig https://bitcointalksearch.org/topic/how-to-verify-your-electrum-windows-linux-mac-5105901
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.

Electrum doesn't publish hashes because even fake websites can publish hashes. Digital signatures OTOH cannot be faked. So take the time to learn to verify the digital signature. It'll serve you well in the future.

electrum.org is the correct site btw.
Pages:
Jump to: