Topic: Transferring BTC from Electrum That Has Not Been Updated? - page 2. (Read 356 times)

How do i verify the pgp signature is legit before i download it?  Do i need to right click it or what do i need to do to make sure the link is legit?  Again this is complicated for someone like me that isn't that computer savy.  Though using electrum would be considered tech savy for most users.


Well if i manually type in the website in my address bar on chrome


www.electrum.org


And then click enter... that is still not safe?  When i type in electrum on google, i see an electrum.org link on the first one showing and am sure that is the legit one as i have clicked on that link before a while back when i did an update.



Thanks.

there are two problems here.
1. you may think you are visiting the real website but you really aren't. for example your browser might have redirected you to a similar looking website as @nc50lc explained above and you may not notice it.
2. the website may be compromised. it is just a website after all, and not immune to hacks. a hacker might have injected a malicious software there.

so what is the solution you ask?
it is pretty simple, get in the habit of verifying PGP signatures of whatever you download with the real public key of the developer.
what i mean by "real" is about the concept of "web of trust". in short it is about gaining the public key in a way that it can't be faked. like asking a friend to send the key via SMS, physical mail or sign it with his own public key which you already have. or at the very least checking multiple sources to see if the key you see on the website is the same as you see elsewhere like on Github,... this is the key by the way: 0x2BD5824B7F9470E6

No.


If your transaction happens to be accepted by one of the compromised servers, yes.


Yes, this is the most likely outcome.


Yes, that also works.


That's what I would do.  Only download Electrum from https://electrum.org/#home.

If you are concerned about the safety of using electrum, keep in mind; your security is your responsibility.  If I were you, I would do as you've described in your second point; update to the latest version before accessing your wallet.  

But before you install the latest version of electrum learn to verify the signature.  Learning to check the signature, and doing so every time you download an updated version should put your mind at ease when using electrum.  It really is one of the best desktop wallets to use, and it's worth learning to use it safely.

For verifying the download I use Gpg4win.

So far, no one.
But you might wanna double-check if it was bookmarked or a google search result, there has been a fake site with Big letter i for an "L" like this: eIectrum; users who don't use serif fonts wont notice the difference.

Well i dont know how to do the verification etc.  Someone mention this and this is confusing for someone that is not computer savy.


But has there been any case of anyone that has downloaded electrum from the official www.electrum.org site and had an issue? 

It's a false positive (if you're talking about the installer being identified as a virus). You can always verify the files though, and make it your regular practice if you're in crypto in order to increase your security. You can also check out the official GitHub and verify the code/build it by yourself if you don't trust the official website (though I don't find any reason to do so).

Vulnerabilities that recently being mentioned/surfaced can be avoided easily if users have enough awareness and always verify any files before they use it.

There aren't any recent cases. It can't hurt to validate the signatures. If you have a phone, you can download electrum and make a watching only wallet, take your computer offline and run electrum. Then click to send the funds to an address, hit preview and sign. Then get thevqr code (between copy and export) and scan it with the send tab on your phone and click broadcast.

Alternatively you can just keep using the old version but I'm not sure if 3.0.5 has the json rpc vulnerability so make sure you hit broadcast. You can get the message on all but the latest versions of electrum desktop, it doesn't appear at all on android electrum though if it's not much...

thanks for that information.  So if there is that fake update message, you can close it just like that by x'ing it?


okay so just to confirm this.  No one here has heard of anyone that went to the real electrum website www.electrum.org and downloaded the program and it being malicious?  I thought i was pretty sure someone mentioned this was a case with a few others?

If you open your wallet and end up selecting a malicious server (server selection is random by default), you will get a fake update message whenever you try to make a transaction. The message itself doesn’t do anything. It’s al a phishing attempt and you will only be affected if you believe the message and download the fake update from a fake website (that isn’t electrum.org)

Download the latest version from ELECTRUM.ORG (that’s the ONLY legit website). Those will mitigate the attacks and if you end up connected in a malicious server, it will show only a “unknown error” message instead of the fake update message. Then, just select a different server manually or restart the wallet to connect to another one automatically.

Yes. That’s true. The only vulnerability is the possibility of sending fake messages to the users on their servers, so they can be lured in downloading a malware wallet.

I am using electrum 3.0.5.  I still have some amount of btc there as i previously transferred it to a hardware wallet.  I have not tried to open my electrum wallet on my windows laptop for a while after hearing people talk about all the issues with the update and those scams going on. 


1.  First off, if i open my electrum wallet now, will it ask me to update to the newest version via a message?  Or it only will show me this message if i try to send btc?  Or i might not even get this message and i could send the btc?  The other thing is if you do receive this message, i assume you can close that message as say no or x it out?  Is it clicking no or closing the message by x'ing it out?


At the moment, I want to send the btc i have in my electrum to my hardware wallet.  Thus that way, i don't want to use the electrum wallet anymore at least for now.  But i have not opened the program once due to all the issues with electrum.  What is the best method for me to do this right now?



2.  Should i just go to www.electrum.org and download the newest up to date electrum on the website?  As long as you don't download electrum from github or those other links, are you fine?  Someone mentioned that as long as you download it from the official site... you are fine.  Is this true or false?  Because i think i recalled reading that the hacker posted the fake link on their site for a short duration where anyone that downloaded electrum from the official site downloaded that malicious file?  Or is this not true?