[ANN] ChipMixer.com - Bitcoin mixer / Bitcoin tumbler - mixing reinvented

[LoyceV]

Ok I am a noob and I don't know much of technical stuff but can't Chip-mixer make a encrypted connection between the client and it's servers so if a third party is involved the data is well encrypted? I don't know if it's even possible lol

Chipmixer uses an encrypted connection.
I'm not sure how Cloudflare works in the details, but I can imagine Cloudflare must some how know who is a legit user, and who is just a DDOS-bot spamming. Until reading it here, I didn't realize that compromises privacy.

[1715369351]

1715369351

[1715369351]

1715369351

[1715369351]

1715369351

[1715369351]

1715369351

[1715369351]

1715369351

[HeRetiK]

Ok I am a noob and I don't know much of technical stuff but can't Chip-mixer make a encrypted connection between the client and it's servers so if a third party is involved the data is well encrypted? I don't know if it's even possible lol

Chipmixer uses an encrypted connection.
I'm not sure how Cloudflare works in the details, but I can imagine Cloudflare must some how know who is a legit user, and who is just a DDOS-bot spamming. Until reading it here, I didn't realize that compromises privacy.

Cloudflare is basically a legitimized man-in-the-middle attack, ie. while the data gets encrypted between User / Cloudflare and Cloudflare / ChipMixer the data still gets decrypted -- and possibly stored -- on Cloudflare's server.

As far as i know Cloudflare's DDoS protection isn't even all that effective. Or rather, it works for basic DDoS attacks, but more sophisticated attackers will work around Cloudflare's DDoS protection either way.

[ChipMixer]

Cloudflare is basically a legitimized man-in-the-middle attack, ie. while the data gets encrypted between User / Cloudflare and Cloudflare / ChipMixer the data still gets decrypted -- and possibly stored -- on Cloudflare's server.

This is correct.
In case of other mixers using CloudFlare, CloudFlare knows your input address and output addresses. In our case, if we would use CloudFlare, CloudFlare would know input addresses and private keys. CloudFlare is US company so it is reasonable to think that any three letter institution could get an access by court order.

[mocacinno]

Cloudflare is basically a legitimized man-in-the-middle attack, ie. while the data gets encrypted between User / Cloudflare and Cloudflare / ChipMixer the data still gets decrypted -- and possibly stored -- on Cloudflare's server.

This is correct.
In case of other mixers using CloudFlare, CloudFlare knows your input address and output addresses. In our case, if we would use CloudFlare, CloudFlare would know input addresses and private keys. CloudFlare is US company so it is reasonable to think that any three letter institution could get an access by court order.

The reason given by chipmixer in the post above mine ^^ is the main reason why a mixer shouldn't use cloudflare. There are other reasons tough, like there are:
* cloudflare is able to inject any type of content into any page that goes trough their servers
* cloudflare has 2 SSL "modes": flexible and full. For an enduser, it's allmost impossible to tell wether the site he's visiting is using full or flexible SSL mode. If a site is setup with the flexible SSL mode, it is possible for your data to be encrypted between your computer and cloudflare, but unencrypted (over port 80) between cloudflare and the server. So, if everything is setup correctly (full ssl mode), there is no problem, but if the admin was lazy and setup the flexible ssl mode, the user might never know his data is being transferred unencrypted.
* the mixer admin has to sign in to his cloudflare account pretty often, so if he's not carefull with using a VPN all the time, his ip might get logged on an US based company's server
* cloudflare protection is terrible when you try to visit a clearnet url over tor
*...

Don't get me wrong, i love cloudflare, but i don't think it should be used for mixers, banks,...

[HeRetiK]

Cloudflare is basically a legitimized man-in-the-middle attack, ie. while the data gets encrypted between User / Cloudflare and Cloudflare / ChipMixer the data still gets decrypted -- and possibly stored -- on Cloudflare's server.

This is correct.
In case of other mixers using CloudFlare, CloudFlare knows your input address and output addresses. In our case, if we would use CloudFlare, CloudFlare would know input addresses and private keys. CloudFlare is US company so it is reasonable to think that any three letter institution could get an access by court order.

Holy shit I absolutely forgot about the private keys. Those would indeed fall into CloudFlare's hands as well. Not only that, just imagine something like Cloudbleed happening again. That'd be disastrous.

[...]

* cloudflare has 2 SSL "modes": flexible and full. For an enduser, it's allmost impossible to tell wether the site he's visiting is using full or flexible SSL mode. If a site is setup with the flexible SSL mode, it is possible for your data to be encrypted between your computer and cloudflare, but unencrypted (over port 80) between cloudflare and the server. So, if everything is setup correctly (full ssl mode), there is no problem, but if the admin was lazy and setup the flexible ssl mode, the user might never know his data is being transferred unencrypted.

[...].

That's why every dev team needs "that paranoid guy" making sure that shit like that doesn't fly

[btcton]

Ok I am a noob and I don't know much of technical stuff but can't Chip-mixer make a encrypted connection between the client and it's servers so if a third party is involved the data is well encrypted? I don't know if it's even possible lol

That would be the HTTPS protocol, which as you might expect, ChipMixer is already using. When you try visiting ChipMixer.com, you will find yourself redirected to https://chipmixer.com rather than http://chipmixer.com. If you click on the lock in your address bar when this happens, you will see all of the information related to the encryption used, website identity, etc.

On a side note, it seems like the site is still down. I am not well versed in the methods possible to resist DDoS attacks, only simply jargon such as null-routing incoming traffic, but as a reminder to anyone trying to use the website when it's down, feel free to access it through Tor.

[audaciousbeing]

Ok I am a noob and I don't know much of technical stuff but can't Chip-mixer make a encrypted connection between the client and it's servers so if a third party is involved the data is well encrypted? I don't know if it's even possible lol

That would be the HTTPS protocol, which as you might expect, ChipMixer is already using. When you try visiting ChipMixer.com, you will find yourself redirected to https://chipmixer.com rather than http://chipmixer.com. If you click on the lock in your address bar when this happens, you will see all of the information related to the encryption used, website identity, etc.

On a side note, it seems like the site is still down. I am not well versed in the methods possible to resist DDoS attacks, only simply jargon such as null-routing incoming traffic, but as a reminder to anyone trying to use the website when it's down, feel free to access it through Tor.

It actually took me a while to identify the difference in the two options you posted. If the DDOS attack is too much and there is no way around it without compromising the privacy of users, then I dont see anything wrong in migrating completely to Tor. Anybody who even value privacy to have been convinced on going through with mixing services, should also be aware of Tor and even more convenient in using it by default.

I think at this point, emphasis should be placed more on the Tor version of the site if the normal is becoming unavailable for use at the right time.

[btcton]

Ok I am a noob and I don't know much of technical stuff but can't Chip-mixer make a encrypted connection between the client and it's servers so if a third party is involved the data is well encrypted? I don't know if it's even possible lol

That would be the HTTPS protocol, which as you might expect, ChipMixer is already using. When you try visiting ChipMixer.com, you will find yourself redirected to https://chipmixer.com rather than http://chipmixer.com. If you click on the lock in your address bar when this happens, you will see all of the information related to the encryption used, website identity, etc.

On a side note, it seems like the site is still down. I am not well versed in the methods possible to resist DDoS attacks, only simply jargon such as null-routing incoming traffic, but as a reminder to anyone trying to use the website when it's down, feel free to access it through Tor.

It actually took me a while to identify the difference in the two options you posted. If the DDOS attack is too much and there is no way around it without compromising the privacy of users, then I dont see anything wrong in migrating completely to Tor. Anybody who even value privacy to have been convinced on going through with mixing services, should also be aware of Tor and even more convenient in using it by default.

I think at this point, emphasis should be placed more on the Tor version of the site if the normal is becoming unavailable for use at the right time.

The potential problem is it would isolate more casual users who do not know about Tor or do not want to bother learning about it. Not everyone who uses mixers goes all the way with privacy tools such as Tor. I can use myself as an example: I do not really care much for what information my ISP could get from my browsing history; I do not really do anything that would raise any flags or be seen as illegal or as a violation of their ToS. My reason for using ChipMixer is simply to cut ties between any old addresses and my new ones as well as making sure no trace is left when switching wallets. I do not really use Tor as I have no need for it, but I do have a need (or at least significant want) for making sure my bitcoins are properly mixed.

[LoyceV]

The potential problem is it would isolate more casual users who do not know about Tor or do not want to bother learning about it.

Although you're right most users don't know about Tor, you're wrong on the "learning" part. Using Tor is as simple as downloading the browser, just like you'd install Firefox or Chrome on your new PC.
After this, it's pretty straight forward to use the browser.

@ChipMixer: the video on your site has been a placeholder for quite a while now. That can't be good for new users.
Also: I suggest you remove the word "below":

Watch the video below to learn more about ChipMixer.

[cafucafucafu]

The potential problem is it would isolate more casual users who do not know about Tor or do not want to bother learning about it.

Although you're right most users don't know about Tor, you're wrong on the "learning" part. Using Tor is as simple as downloading the browser, just like you'd install Firefox or Chrome on your new PC.
After this, it's pretty straight forward to use the browser.

@ChipMixer: the video on your site has been a placeholder for quite a while now. That can't be good for new users.
Also: I suggest you remove the word "below":

Watch the video below to learn more about ChipMixer.

Definitely. Pretty much there has been a placeholder there ever since the new version of Chipmixer has been around, i mean i get that the team is probably busy with other stuff but i believe that a video is especially necessary for new users specifically as well.

Adding a video can boost confidence in the service for first timers by a lot as well, imo.

[ChipMixer]

@ChipMixer: the video on your site has been a placeholder for quite a while now. That can't be good for new users.

You are right, we have had too much other ideas and video was never finished. We have received a lot of question both here and at support e-mail. We will use this knowledge with the video.

[cafucafucafu]

@ChipMixer: the video on your site has been a placeholder for quite a while now. That can't be good for new users.

You are right, we have had too much other ideas and video was never finished. We have received a lot of question both here and at support e-mail. We will use this knowledge with the video.

Great to know, chipmixer.

BTW, have you implemented anything to prevent the chips running out yet? I think that is a major issue that you need to solve before even considering to place the video there. Once you solve that issue, you can move onto other things.

[btcton]

The potential problem is it would isolate more casual users who do not know about Tor or do not want to bother learning about it.

Although you're right most users don't know about Tor, you're wrong on the "learning" part. Using Tor is as simple as downloading the browser, just like you'd install Firefox or Chrome on your new PC.
After this, it's pretty straight forward to use the browser.

I am not talking strictly about using Tor, as you are right, it is not really hard. However, outside of those of us who have used it before, it has a negative connotation that is usually associated with suspicious and illegal activity on the dark web. What I was referring to is people understanding what Tor really is and how it works and the reason it could be used instead of other non-private protocols. The actual act of using it is fairly simple, of course.

[Rahar02]

Any problem with chipmixer site? I can't access it right now.
Well, I'm accessing it through chrome browser, and just got 504 gateway time out.
There's no problem with my connection, or I should access it through tor browser?

[TryNinja]

Any problem with chipmixer site? I can't access it right now.
Well, I'm accessing it through chrome browser, and just got 504 gateway time out.
There's no problem with my connection, or I should access it through tor browser?

It's not only you. My first thought was that they were still getting DDOS'ed, but neither the clearnet nor the Tor version are working on my side.

[btcton]

Any problem with chipmixer site? I can't access it right now.
Well, I'm accessing it through chrome browser, and just got 504 gateway time out.
There's no problem with my connection, or I should access it through tor browser?

It's not only you. My first thought was that they were still getting DDOS'ed, but neither the clearnet nor the Tor version are working on my side.

Considering that ChipMixer has been active here in the forums, I would not be too worried. If I had to guess, they are probably figuring out a way to prevent the DDoS attacks from taking them down without having to resort to third parties such as Cloudflare. It is either that or just maintenance, unless the website also somehow got taken down through Tor, but I don't see how that could happen. 504 error refers to them not being able to access another server, but as far as I know, ChipMixer doesn't need to access any other server apart from their own, so I am not sure what could cause that.

[Kyraishi]

Any problem with chipmixer site? I can't access it right now.
Well, I'm accessing it through chrome browser, and just got 504 gateway time out.
There's no problem with my connection, or I should access it through tor browser?

Me neither. It shouldn't be an isolated incident, but rather something wrong on Chipmixer's side.

I'm guessing that it's just maintenance that they haven't announced. Honestly, they have no incentive at all to scam someone based on the amount of effort they have put into advertising and maintaining their service.

Just wait for them to come up again.

[ChipMixer]

We are back online. Another mixer has sent over 7M requests to our .onion address (and it is not over yet). We have updated our code to mitigate this attack. Now every new session requires solving a captcha (sorry about that), but at least you can access ChipMixer now.

[richardsNY]

We are back online. Another mixers owner has sent over 7M requests to our .onion address (and it is not over yet). We have updated our code to mitigate this attack. Now every new session requires solving a captcha (sorry about that), but at least you can access ChipMixer now.

That explains why the service yesterday wasn't available for quite a long time. I have noticed that it is happening quite regularly that the service experiences a time out, while I must say that these by far aren't as severe as the time out from yesterday. It's a sign that ChipMixer is gaining popularity, which is what certain competitors can't accept. Is that same mixing service also responsible for previous time outs, or are these largely the result of more usage/demand?

[ChipMixer]

It's a sign that ChipMixer is gaining popularity, which is what certain competitors can't accept. Is that same mixing service also responsible for previous time outs, or are these largely the result of more usage/demand?

After BitMixer closed and older mixers did not react, we may have risen to top3 (volume based) and most active on this forum. Other mixers may think that attacking us will give them more traffic.

Service timeouts are result of DDoS attacks, chip shortages are result of too much usage/demand. We have increased frequency of chip generation and unless another "China bans Bitcoin" happens, we are ok.