[firepacket]

Siphoning bitcoin transactions is not trivial.

Transactions need to be signed by the holder of the private key to the inputs. A MITM attacker still does not have access to any keys.

If it was that easy, bitcoin would be worthless.

[chatmasta]

You're right. Let me clarify:

I'm not worried about the transactions themselves, as they appear on the blockchain. What worries me is the "meta transactions", if you will. The Bitcoin ecosystem is full of off-blockchain transactions. For example, mining pools use their own communication mechanisms, which the BGP attack this summer exploited. Also, dozens of exchanges, marketplaces, and services rely on HTTP API's for transacting. Even if the blockchain is not vulnerable, the external transactions that reference it certainly could be.

Imagine how many "send X bitcoin from wallet Y to wallet Z" requests route over HTTP. Quite a few.

So yeah, not "trivial" as I said. But certainly not impossible.

(Welcome to HN! I'm glad my mistake brought you out of the woodwork.)

[firepacket]

Thanks. Yes, I somewhat agree with your clarification.

And to further your point, it appears this guy (https://www.reddit.com/r/Bitcoin/comments/2k38ta/my_wallet_w...) just got his coins stolen by using blockchain.info over TOR.

However, I still believe nothing is fundamentally broken. Any important protocol should be using SSL - especially when operating over TOR. Lapses like this are still simply user error.