Author

Topic: Verify wallets before installing & using. You'll lose fund if you don't verify (Read 316 times)

legendary
Activity: 3472
Merit: 10611
i want to add two things here,
first kudos for mentioning "web of trust" but since the importance of it is high in my opinion it should be the first thing to be mentioned and it should be explained more with the dangers of neglecting it. it must be first step or rather step 0 of this whole thing. you first have to find a way to acquire the real public key in a safe way that you can be nearly sure that it is the correct one.
for example if the user is simply copying the key hash from the same website and verifies the downloaded file (from the same site) then he didn't really increase his security at all. he just took an extra step! since a malicious attacker could have injected both malicious software and pubkey he used to sign that into that website.

second is that even if you did all that and verified signature of that file with the real pubkey that still doesn't mean the software you are about to use is safe. you are still downloading a compiled binary file that may not even be the compiled version of the same source code you see as the open source project!
the solution to this is either compiling yourself which is not possible for most users or only using open source software that is using deterministic builds. unfortunately only a couple of wallets follow that.
legendary
Activity: 2702
Merit: 4002
I think you have developed this topic --> [Eng: Tutorial] PGP Signature - Encrypt/Decrypt message - Fingerprint and updated it with some data, you can refer to it to reformat this topic and make it perfect.

I would like to point out that if you want to verify Electrum's signature, the link above is a link to the latest version (3.3.8,) I hope you indicate the location of the signature on the site instead of giving the link (will not work with the new update.)

sr. member
Activity: 1204
Merit: 270
Hire Bitcointalk Camp. Manager @ r7promotions.com
Nothing can save you if you don't manage how to do it safely.
No wallets, no Trezor, no Ledger Nano S, no exchanges.  Cheesy

Yeah @tranthidung you are the right If one does not know how to manage well then it is necessary to have the ability to understand the problem especially good and bad, Moreover, he will lose the right over his money which is very harmful.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
It's really not that hard, it takes a bit of time to set the whole thing up for the first time, but after you are done, verifying signatures takes just a few clicks. I use Kleopatra on Windows and it's pretty simple.
Right, for later times it is faster but even with setup process, I don't think it is too complicated. I felt complicate the first time, but the second time I was familiar with it.
Quote
But verifying developer's signature doesn't guarantee a 100% security, there's always a small chance that developer has gone rogue or got hacked themselves and their keys were stolen - to cover situations like that, it's always wise to check for such problems on public media first.
Notifications or hyperlinks to newest wallet versions provides by wallets are unreliable too.
Electrum vulnerability allows arbitrary messages, phishing (theymos)
I believe most of newbies instantly click on links in their wallets to visit sites and download newest versions without further investigations, and sure without wallet verifications.
legendary
Activity: 3038
Merit: 2162
I agree the guide is too long and complicated.
Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol)


It's really not that hard, it takes a bit of time to set the whole thing up for the first time, but after you are done, verifying signatures takes just a few clicks. I use Kleopatra on Windows and it's pretty simple.

But verifying developer's signature doesn't guarantee a 100% security, there's always a small chance that developer has gone rogue or got hacked themselves and their keys were stolen - to cover situations like that, it's always wise to check for such problems on public media first.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
@OP, I think you should change the topic's title. "Don't do this" makes it look like you are asking us to avoid verifying the wallet we are downloading  Smiley
Thanks (I will think of small changes). You should know there are limitations on total characters. The thread title (current one) uses the max cap of characters allowed.  Undecided
Code:
Verify wallets before installing & using. You'll lose fund if you don't verify
Now, the title is better and I hope you like the new one but there is problem with title of replies. Replies will have title like this (2 last character automatically cut because of character limit).
Code:
Re: Verify wallets before installing & using. You'll lose fund if you don't veri

I always do what @bitmover wrote, carefully, before moving forwards with wallet verification steps in OP. They are two-layered protections for you:
- Download at legit websites.
- Verify wallets and related things.
You are safe with handy verifications.
However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well..  addresses on device , on the website, etc.
It is like a basic common sense, however few people do .
legendary
Activity: 2744
Merit: 3096
Top Crypto Casino
@OP, I think you should change the topic's title. "Don't do this" makes it look like you are asking us to avoid verifying the wallet we are downloading  Smiley


So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps.
Is there other ways to check the authenticity of files we download online other than what was mentioned here?!
It is a long process indeed but we are talking about how to keep our money safe from hackers. So it is definitely worth the time we spend on it.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
I agree the guide is too long and complicated.
Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol)

However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well..  addresses on device , on the website, etc.
It is like a basic common sense, however few people do .
All things are always complicated at beginnings.
For crypto newbies: How to get a bitcoin address? How to send bitcoin to other people? How to install a bitcoin wallet? Which wallet to use? What are differences between public key and private key? How to backup and recover wallets from seeds? How to do KYCs? And more. All of them are complicated.

I had same feelings when I joined crypto in the late of 2017.

Another example is account in the forum: How to secure it? How to sign a message to use as ownership-proof? Yes, it's complicated for guys don't know how to do.

It is unnecessary to sign a message for above purpose before one realizes account can be hacked and without a sign message the recovery will be more difficult and takes more time. Then, they will do it.

The same thing with wallet verifications, IMO. The more repetitions we do verifications, the faster we finish and the more comfortable we feel about wallet verifications.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
This guide is more complicated and long than space shuttfle schematis/instruction Cheesy
Do we like it or not, people are too often technically illiterate or even worse, they don't care that much.
Faster the better with minimum effort.

So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps.

I agree the guide is too long and complicated.
Personally I have never verified a pgp signature from a file. (I am almost shame to admit lol)

However, I feel safe enough just by downloading files from the official website (just check social media and see if the links from there matches the address you have). I always double check everything as well..  addresses on device , on the website, etc.
It is like a basic common sense, however few people do .
legendary
Activity: 2296
Merit: 1014
Why do you have to verify wallets before using them as storage of your fund?
"Prevention is better than cure".

This guide is more complicated and long than space shuttfle schematis/instruction Cheesy
Do we like it or not, people are too often technically illiterate or even worse, they don't care that much.
Faster the better with minimum effort.

So i hope it will help someone, but i like to verify files other ways than "official" requiring 10 steps.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Nothing can save you if you don't manage how to do it safely.
No wallets, no Trezor, no Ledger Nano S, no exchanges.  Cheesy

Yes. You are much safer using a hardware wallet. However if you are careless, you will lose money.

For example, always check the address displayed in device LED visor before sending funds. Store your seed offline in a paper, etc..
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
Nothing can save you if you don't manage how to do it safely.
No wallets, no Trezor, no Ledger Nano S, no exchanges.  Cheesy
member
Activity: 742
Merit: 21
Be the reason someone smiles today
Indeed, threats are everywhere in crypto world and the risks to see your funds lost are bigger every day, specially if you're using online wallets.

However prices continued to decrease constantly for hardware wallets. You can buy very cheap a Ledger Nano S or a Trezor wallet (Trezor is more expensive and it does pretty much the same thing) and get rid of the stress every time you check your balances.
https://shop.ledger.com/products/ledger-nano-s
https://shop.trezor.io/

I bought a Ledger Nano S and since then I sleep better thinking that my crypto are safe  Smiley

legendary
Activity: 1568
Merit: 2037
It's funny I've been reading through a lot on this lately, and actually stumbled across a pretty good thread a few days ago, can't find the link right now. I like that you mentioned verify the gpg4win software, there was a video from a few years back I was watching and he brought up what I was thinking when I got into verify mode. It's sort of the chicken and the egg conundrum as he put it - Crypto Dad or something like that. Only suggestion is that if it's available do the initial download on a PC, that doesn't contain anything sensitive from the start. Just in case.
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
This thread presents basic steps to do verifications. For more details, please read more sources.



There are so many bad guys around, and there are so many phishing sites on which you can see and download dangerous faked cryptocurrency wallets. If you get trapped by faked wallets, I am sure that your funds will be stolen. It's just a matter of time that how long bad guys will steal your fund after you installing and storing your fund in faked wallets.

Days ago, the news about the compromise on Monero site gives me a reminder to make the thread for newbies. Honestly, it is a very good opportunity for me to learn more about verification. Previously, I only knew and did verification for Electrum wallet. Now, when I made this thread, I have read more sources, from Bitcoin Core to Dash, and Monero; and I definitely and fortunately learned more valuable things.

This is another lesson for newbies: Learn first to improve; then help others. From progress to learn and help, you will become more knowledgeable; then you will be more safely in crypto.

Why do you have to verify wallets before using them as storage of your fund?
"Prevention is better than cure".


Basic steps:
You should verify three steps. More things to do if you want (if yes, read more in mentioned sources).
  • Hash values
  • Developers' public keys
  • Verify the installer signature.
  • All things you use to verify, get them by yourself. Don't trust what I quoted below

Download gpg4win software at https://www.gpg4win.org/
After downloading, checking integrity (verify) the downloaded file first.
Yes, you must verify first, don't trust even you download GPG4win from its official website. It is very terrible for you to download a phishing gpg4win software to verify any cryptocurrency wallets.

You can see how to install gpg4win software Verify binaries on Windows (beginner), here
The full guide is here: https://www.gpg4win.org/package-integrity.html
There are 5 methods to do that. I would like to recommend you to read the section: Download and Install Gpg4win:
Get it SHA1 hash value here: https://www.gpg4win.org/package-integrity.html
Copy and paste the hash value you get from the Command prompt to using Find on that page to compare your hash value with the one provides on official site of gpg42win.
They are matched so I download a legit GPG4win software.

In addition, you can use the Windows PowerShell (Admin) - for Windows 10 - instead of the Command prompt.



Electrum
Download it at: https://electrum.org/#download

Signature: get it here
https://download.electrum.org/3.3.8/electrum-3.3.8-setup.exe.asc


There you go: GPG verification results I get by clicking on dashcore-0.14.0.3-osx.dmg.asc (assuming you have GPG Tools installed and codablock's key imported into it already) on top of Downloads with the binary itself and this signature file on top of Github releases page with both these files lilsted Smiley

Dash Github's Tags

Credits to qwizzie and UdjinM6: You can read more details of unofficial guides from two users here



Monero
Follow the guide below to verify both hash file and binary file.




Sources:
https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/
https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/
http://www.differencebetween.net/technology/software-technology/difference-between-pgp-and-gpg/
Verifying Bitcoin Core (theymos). I don't use Bitcoin Core but if you use it, you know what to do: Verify first, don't trust.
Jump to: