Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service

However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.

The hacker don't need the wallet private key to withdraw BTC. Only the secret codes are needed

That's correct, however URL query strings are encrypted when using SSL, so they can't be sniffed. If someone tried to MITM after compromising Torwallet.net, the SSL certificate would have a different fingerprint and it would be detected as an error, since you have created a special exemption in your browser for that specific fingerprint.

One the torwallet.net page it claims "Seizing or hacking this server will have no effect on TORwallet's services and gain you no bitcoins, only our wrath", but this is wrong. If the torwallet.net server is hacked, the private key of the SSL certificate is exposed, and the hacker will know the URL query strings

That is not correct. Torwallet.net does not contain any private keys, and it is a separate server from the .onion site. They are not hosted on the same server. Not sure what's so hard to understand about that.

I mean private key of the SSL certificate, not private key of BTC accounts. Not sure what's so hard to understand about that......

I know you meant that, and you are incorrect. The private key of the SSL certificate is stored on the .onion site, not on the torwallet.net server. Perhaps you should look closer at how socat works: it has the option to serve up its own certificate, but that is not in use here. It is simply concatenating data between ports 443 and 9050, in both directions.

I mean the private key of the SSL certificate of torwallet.net, not the SSL certificate of the .onion site ......