Re: I continue to be surprised
"Now, conversely, if I were running a Bitcoin exchange, I would definitely want https to be the default setting, if for no other reason than wanting to ensure that the Dunning-Krugerrands wind up in my pocket and not someone else's when I decide to fake my death and abscond to a foreign country with the proceeds of my clients' ill-placed trust."
The problem there is that the attacker probably does use HTTPS to connect to the exchange, just with them impersonating the client. It's probably not easy to determine that it's not the user on the other end, and almost certainly such a coordinated group has different nodes making the connections so they can't be identified as exit nodes and blocked that way.
"If I were the client of such an exchange, I would definitely pay close attention to whether https is being used as well, but I'm not sure what the interface for such a thing looks like, so maybe it's not obvious."
The exit node can't easily provide a forged certificate because the client's machine will still verify it, so they're probably seeing the insecure site icon like on any other HTTP-only site. Either that or they get redirected to a secure site that is controlled by the attacker and therefore doesn't use the same domain name. It would really help the clients to make sure that is not there whenever they're accessing something sensitive, but maybe it would be better for there to be a setting to enforce that. That doesn't seem out of character for the Tor browser to warn or even block HTTP-only on the clear web and 301s pointing to different domains.
Biting the hand that feeds IT
