[Tails-dev] Tails vs Electrum

Delete this message

Reply to this message
Autor: sajolida
Data:  
Para: The Tails public development discussion list
Assunto: [Tails-dev] Tails vs Electrum
Hi,

We're not using this mailing often anymore but I think that the Electrum
situation is complex and impacting enough to deserve it.

Thanks a lot to s7r for giving me very useful information to understand
what's going on in #16421! If you're on this list, please correct me if
I'm saying anything wrong here. I learned about all this today :)

Summary of the situation
========================

Some weeks ago, some servers in the Electrum pool started to behave
maliciously: they returned rogue error messages that were phishing
attempts to instruct people to upgrade to a malware version of Electrum.

See https://github.com/spesmilo/electrum/issues/4968

This was a phishing attack and not a vulnerability in Electrum itself.

s7r analyzed on #16421 that Tails was not really concerned by this
attack because upgrading and running the malware version on Tails was
more complicated than on other operating systems and too unusual for
Tails users to do it.

We didn't communicate about this to our users and they wrote a lot to
our help desk.

As a 1st countermeasure, Electrum updated their software to prevent the
display of the phishing message as rich text in version 3.3.2.

But users were not updating fast enough to 3.3.2 and were still phished.
So a few days ago, Electrum updated its *server* version to prevent
older *client* versions (< 3.3.2) from connecting to them.

Right now in Tails we have 3.1.3 which is displaying the phishing attack
when connecting to old servers (if they are any left) and unable to
connect to the updated servers that prevent the phishing attack.

On the Debian side, it seems like the maintainer (Tristan Seligmann
<mithrandi@???>) is missing in action. He's said to come back in
mid-February on https://github.com/spesmilo/electrum/issues/5083 but
hasn't commented neither on Debbug#912042 (which will get Electrum out
of Buster) nor on Debbug#921688 (about the update itself).

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912042
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921688

The official way of running Electrum from Linux is using an AppImage:

https://electrum.org/#download

s7r documented how to use it in Tails:

https://blog.thestever.net/2019/02/26/upgrading-electrum-on-tails-to-3-3-4/

I tested it myself and it runs really fine. Seeing that, I could also
understand why Electrum upstream is not super concerned about the state
of the Debian package either.

What shall we do?
=================

Right now, the Electrum we distribute in Tails cannot connect to the
Electrum servers. It's useless and we might as well get rid of it.

s7r suggested we distribute the AppImage in Tails in #16564.
I think the Foundation Team should follow up on this idea there.

The Technical Writing team could document how to use the AppImage:

- I would write a much simplified version of s7r tutorial but the
Electrum persistent feature would still work.
- People knowledgeable about OpenPGP could verify the AppImage with its
OpenPGP signature.

This documentation could go on
https://tails.boum.org/doc/anonymous_internet/electrum/ with a bunch of
warnings.

If we decide not to ship the AppImage, we could also try to contact the
Debian maintainer.

We could also decide to not even document how to use an AppImage and
then basically tell people that Electrum doesn't work anymore on Tails
with not workaround.

In terms of priorities for the project. I'm personally really not
thrilled at the idea of spending a lot of time dealing with this
situation. But I also guess that Electrum users are a good share of our
user base and removing Electrum might make us loose users. Bitcoin users
are also traditionally good donors and removing Electrum might make use
loose donations.

Related to that, it might also be worth it to clarify how much help desk
should spend time on helping Electrum users, whether or not we decide to
make their lives easy again or not.

What shall we do?

--
sajolida