1
I seem to find conflicting information regarding the possibility of a TOR exit node stealing my data even while using HTTPS. How possible/likely is this?
Let's assume user implements strong security on his personal system/network (no keyloggers, malware, etc.) and the blockchain.info is honest. For this example, I am concerned about the attack vector of the TOR exit node even while using HTTPS.
1
With Blockchain.info, only encrypted private keys are stored on their server. Decryption of private keys and signing is done in the browser. You don't even need to worry about sending your data over HTTPS, let alone TOR because any data that leaves your browser is securely encrypted before it even leaves your computer.
There's one caveat, however; it's difficult to determine whether or not Blockchain.info (or any site, really) is doing exactly what they claim unless you constantly monitor traffic between them and your browser. Ultimately, the most dangerous attack vector would be for Blockchain.info to behave dishonestly, or for a website to impersonate them and do the same.
0
Your Blockchain.info wallet is inherently safe due to the way wallets are generated by Blockchain. Blockchain.info only sends encrypted payloads to and from that are decryptable by the pass phrase you use.
Don't use the API if you don't want to rely on the SSL, which should be pretty strong if used properly but the standard web interface should be safe.
0
Possible attack vectors from the exit node include:
Note: HTTPS Everywhere does not fall back on http when unable to connect. – Nick ODell – 2014-09-07T17:17:21.863