Serious Security Question: Why is my Tor Browser not connecting to DarkNetMarket sites with SSL encryption?

I'm a web developer, & I noticed when I use Tor and connect to Agora or Evolution, the Tor browser tells me that my connection to these sites is not encrypted.

This means the packets I am sending to and from the server, from the Tor exit node to the server receiving the request, are open to interception from a Man In the Middle (MITM) attack, such as if a law enforcement agency set themselves up to be a Tor exit node.

Tor traffic is high value for interception, so the risk of a MITM interception via a Tor exit node is high. Even if you are diligent and use PGP encryption for vendor communications, without encrypted traffic, anybody conducting a MITM could intercept your login credentials when you're logging in, as presumably this information is not sent as encrypted.

Can somebody tell me what security protections are in place to prevent this kind of attack? This isn't a flaw that could DOX you if you use PGP for any sensitive communication over intercepted traffic, but a MITM exploit is certainly the type of security hole that could result in an attacking gaining access to a darknetmarket account (and your escrowed bitcoins).

Am I missing something here?


Comments


[2 Points] fuckoffplsthankyou:

This means the packets I am sending to and from the server, from the Tor exit node to the server receiving the request, are open to interception from a Man In the Middle (MITM) attack, such as if a law enforcement agency set themselves up to be a Tor exit node.

Sigh.

Tor exit nodes are not used for .onion sites.

Tor traffic is high value for interception, so the risk of a MITM interception via a Tor exit node is high. Even if you are diligent and use PGP encryption for vendor communications, without encrypted traffic

All Tor traffic between nodes is encrypted. Since you are not using an exit node, your traffic is therefore encrypted.


[1 Points] hdheuud:

Are you fucking serious? So this would lead me to believe my for browser is not encrypting packets sent to those markets either, correct? It is not just you?