Your reply is kind of off-topic, don't you think? Nowhere on the site do I say that a desktop browser uses OpenSSL. I'm not sure where you got that from.

If you'll notice, our website does not use broken encryption (because SSL delivered by OpenSSL is a joke anyway). And we currently require you to install Tor Browser in order to have dependable encryption before purchasing.

Either way, thanks for looking at our website!

But most HTTP servers do use OpenSSL, so the tirade is not wrong.

But that's up to them, to choose a server which doesn't. Whereas currently, people are being redirected to the safe site from a completely unprotected landing page, so they can get MITM'ed and sent to a honeypot instead.

please let me know how someone can be MITM'ed when connecting to medicalcannab.is over Tor.

When you connect to the domain with torbrowser, the server detects your IP, then redirects to the appropriate .onion site if coming from an exit node. In order to be MITM'd, you'd have to either be using a Tor exit node that was compromised, or my server would have to be completely compromised beforehand.

neither of these seem like likely scenarios, so I'm curious as to what you see that I don't.

You should assume Tor exit nodes to be hostile. There have been exit nodes that injected malicious code into binaries downloaded through them, and running an exit node is an obvious choice for an attacker, hoping for people running unencrypted traffic through them.

Fair enough. someone could mirror my site's content, and we wouldn't have the ability to check where it's going.

However, that's not too much an issue. we don't offer binaries (outside of two pdf files that may have a jpg embedded), and nothing on our Onion site requires a download. The most they could really do is make someone give bitcoins to the wrong wallet. That's a pretty easy customer service issue to solve ("We are not responsible for bitcoins sent to wrong wallets").

I guess I'm not seeing the vulnerability here.