NEW YORK (InsideBitcoins) — In an effort to bring more security and privacy to their online wallet, Blockchain.info has launched a new way to access their services. Users of Blockchain can now access their online wallet through a new Tor hidden service, which drastically improves the security of the site for users who wish to remain to buy bitcoin anonymously. There have been a large number of issues related to using Blockchain over Tor in the past, and most of the problems have been associated with malicious Tor exit nodes. With the new hidden service, those malicious nodes can be avoided.
Tor exit nodes and man-in-the-middle attacks
There are a few different issues associated with visiting clearnet websites over Tor, but the main problem has to do with malicious exit nodes attempting to deceive a Tor user. If end-to-end encryption is not used, then a “man in the middle” (MITM) can basically act as the end server that the Tor user is trying to reach. This is obviously a huge issue when using a service like Blockchain’s online wallet because the Tor user would be sending their login credentials to the malicious exit node.
It is helpful if a website uses a certificate authority to encrypt traffic between the user and the website, but this is not a fool-proof system. Most browsers will automatically check the authenticity of the SSL certificates associated with different websites on the clearnet, but the reality is that some users will bypass these warnings and not realize that they are about to become a victim of a man-in-the-middle attack.
The benefits of a Tor hidden service
By creating a hidden service, Blockchain is allowing its users to stay within the Tor ecosystem rather than ever exiting to the clearnet. The user does not need to go through an exit node to login to their online wallet, which means the threat of a MITM attack is drastically reduced. Hidden services use end-to-end encryption, but whether or not it still makes sense to add an SSL certificate on top of that is up for debate.
You can follow @kyletorpey on Twitter.