So like even if you're typing chipmixer.com in TOR it's still considered unsecure?
Yes because they're using let's encrypt to generate the certificate so they don't have to kyc with anyone.
But it also means the attacker can do the same and just push connections through to them via a non ssl protocol.