TLS Stratum for Solo Mining (2026) — Encrypted Connections Explained
What TLS stratum means for solo mining, how it differs from plain TCP, the attacks it prevents, when to use it, and how to enable encrypted connections. Native TLS on SoloFury, all coins.
Most mining connections still travel in plain text. When your miner talks to a pool over a standard stratum connection, every message — the work you receive, the shares you submit, your worker name — is sent unencrypted. Anyone positioned on the network path between you and the pool can read it, and in some cases manipulate it. TLS stratum closes that gap by encrypting the link end to end and cryptographically verifying the pool’s identity.
This guide explains what TLS does for solo mining, how it differs from plain TCP, the real attacks it prevents, when it actually matters, and how to switch it on. SoloFury offers native TLS support on every coin and every region, so any miner with TLS-capable firmware can connect securely with a single setting.
What is TLS stratum?
Stratum is the protocol your miner uses to talk to a pool: it subscribes for work, authorizes a worker, receives block templates via mining.notify, and submits results via mining.submit. It was introduced in 2012 to replace the older getwork protocol, and it has been the universal standard for pooled mining ever since. By design, it runs over plain TCP and transmits everything as human-readable JSON — which made it easy to debug, but means it has no built-in encryption or authentication.
TLS (Transport Layer Security, the successor to SSL and the same technology behind the padlock in your browser) wraps that same stratum traffic in an encrypted, authenticated tunnel. The miner and pool exchange exactly the same mining messages, but an observer on the network path sees only ciphertext, and the miner can verify — via the server’s certificate — that it is talking to the genuine pool rather than an impostor. In connection strings this is written as stratum+tls:// instead of stratum+tcp://.
This isn’t a new idea. The convention of running encrypted mining traffic on a separate port goes back years — early stratum and Electrum servers already advertised a dedicated TLS port (for example 50002 for TLS versus 50001 for plain TCP), a pattern that pools still follow today.
TLS vs plain TCP: the difference
Plain TCP (stratum+tcp://) | TLS (stratum+tls://) | |
|---|---|---|
| Data on the wire | Readable by anyone in between | Encrypted, unreadable to observers |
| Worker name / wallet visible | Yes | No |
| Share traffic visible | Yes | No |
| Server authentication | None | Certificate proves it’s the real pool |
| Resists tampering / injection | No | Yes |
| Resists hashrate hijacking | No | Yes |
| Setup effort | Default | One toggle + different port |
| Performance impact | Baseline | Negligible |
Plain TCP works and has been used reliably for over a decade. But everything it sends is visible — and alterable — by whoever controls the network between you and the pool. TLS removes that exposure.
The attack TLS prevents: hashrate hijacking
The strongest reason to use TLS isn’t abstract privacy — it’s a specific, documented attack. Because plain stratum is unencrypted and unauthenticated, an attacker positioned on the network path (a malicious ISP, a compromised router, or a state-level adversary performing a routing attack) can sit between your miner and the pool, intercept your proof-of-work shares, and redirect them to a pool the attacker controls — collecting the rewards your hardware earned.
What makes this insidious is how little needs to be stolen to matter. Diverting just 1–2% of a miner’s hashrate is enough to materially affect profitability while staying small enough to go unnoticed. The victim sees a slightly lower hashrate or a few more “stale” shares and assumes it’s network noise.
TLS defeats this in two ways at once: the traffic is encrypted (the attacker can’t read or cleanly modify it) and the server is authenticated (your miner verifies the certificate, so a fake pool in the middle is rejected outright).
What TLS actually protects — and what it doesn’t
Encryption is often oversold, so it’s worth being precise.
TLS protects:
- Your worker name and the wallet address it often contains, so they aren’t broadcast in clear text.
- Your share submissions and received work, so they can’t be read, redirected, or quietly altered.
- The pool’s identity, via certificate validation — defeating man-in-the-middle and hashrate-hijacking attempts.
- Your operational privacy: on a plaintext connection, an observer can infer your hashrate from your share traffic and roughly estimate your earnings. TLS hides that.
TLS does not change:
- Your odds of finding a block. Block discovery is pure probability driven by hashrate and network difficulty. Encryption has zero effect on it.
- Your hashrate or efficiency. The miner does identical work either way.
- Your payouts. On a non-custodial solo pool, rewards are paid directly from the block’s coinbase to your address regardless of transport.
What you gain, and what it costs
What you gain
- Privacy — your wallet-derived worker name and hashrate stop being visible on the wire.
- Integrity — data can’t be silently modified between miner and pool.
- Authentication — the certificate proves the server is really the pool.
- Protection from hashrate theft — the redirection attack above becomes infeasible.
What it costs
- A negligible amount of overhead. TLS adds a brief handshake when the connection opens, plus a thin encryption layer afterward. For a stratum connection that stays open for hours, this is imperceptible — it does not measurably affect latency, stale rates, or block-finding.
- A firmware requirement. Your firmware must support TLS/SSL stratum. Most modern firmware does; older builds may not.
- A different port. TLS endpoints use a separate port from plain ones, so you change the port when you switch.
The cost is close to nothing; the benefit is a private, authenticated, tamper-proof connection.
When should you use TLS?
TLS matters most when the network between you and the pool isn’t fully under your control:
- Public or shared networks — coworking spaces, hosting facilities, hotel or campus Wi-Fi.
- Hosted / colocated mining — your traffic crosses infrastructure you don’t own, exactly the scenario where redirection attacks are most feasible.
- Untrusted ISP paths — regions or situations where you’d rather not assume the network in between is benign.
- Privacy-conscious setups — if you simply prefer your worker names and hashrate not be observable.
It matters less on a fully trusted single-user home network — but there’s no real downside to enabling it everywhere, since the overhead is negligible and the protection is free.
How to enable TLS on your miner
Switching is simple and the same in principle across firmware. You change two things; everything else stays identical:
- The protocol / toggle. Enable the TLS or SSL option in your miner’s pool settings (wording varies by firmware). This makes the miner use
stratum+tls://instead ofstratum+tcp://. - The port. TLS uses a different port from the plain connection. On SoloFury the TLS port is the plain port with a “1” in front — for example BCH’s
7070becomes17070. The hostname stays the same.
Your wallet address, worker name, and password are unchanged.
Firmware compatibility: TLS support was added to mining firmware at different times, so make sure yours is reasonably current. If your firmware exposes no TLS/SSL option, it likely predates support — updating usually adds it. SoloFury uses a publicly trusted certificate, so compatible firmware validates it automatically with nothing to paste; some firmware with stricter certificate handling may behave differently. If TLS isn’t available on your device, plain TCP remains fully functional — you simply won’t have the encryption layer.
Looking ahead: Stratum V2
TLS solves encryption and authentication for today’s stratum (now retroactively called Stratum V1). The protocol’s planned successor, Stratum V2 (SV2), builds these protections in at a deeper level and adds more on top.
Specified in 2019 by the team behind the original protocol together with a Bitcoin Core developer, SV2 introduces three core changes: encrypted and authenticated connections by default (no separate TLS toggle needed), a compact binary message format that cuts bandwidth substantially versus V1’s verbose JSON, and — most significantly — a job-declaration protocol that lets miners construct their own block templates instead of blindly hashing whatever the pool sends.
For large-scale operations, SV2’s combination of lower latency, faster template delivery, and efficiency gains has been measured to improve profitability by a few percent in aggregate (note: that figure comes from the full SV2 stack, not from encryption alone — TLS by itself does not increase profits). For solo miners, the headline benefit is the same security TLS provides today, plus the autonomy of building your own templates.
SV2 adoption is still maturing across firmware and pools, and translation proxies exist to bridge older V1 firmware to V2 pools. For now, TLS over Stratum V1 is the practical, widely supported way to secure your connection — and it’s available today.
Frequently asked questions
Does TLS make solo mining more profitable or improve my odds? No. TLS only secures the connection. Your chance of finding a block depends solely on hashrate and network difficulty — encryption has no effect on it.
Does TLS slow down my miner or increase stale shares? Not measurably. The encryption overhead on a long-lived stratum connection is negligible and doesn’t affect latency or stale rates.
What exactly is hashrate hijacking? It’s an attack where someone on your network path intercepts your shares and redirects them to their own pool, stealing the rewards. It works only on unencrypted connections; TLS prevents it by encrypting the traffic and authenticating the pool.
Do I need to install a certificate on my miner? On most firmware, no. SoloFury uses a publicly trusted certificate, so compatible miners validate it automatically — you just enable the TLS toggle. Some firmware with stricter certificate handling may behave differently, but the common case requires nothing to paste.
What port do I use for TLS?
On SoloFury, the TLS port is the plain port with a “1” prefix (for example 7070 becomes 17070). The hostname stays the same. The setup wizard fills this in automatically.
Is plain TCP unsafe? “Unsafe” is too strong — it’s been used reliably for years. But it sends your worker name, hashrate, and shares in readable form, and is vulnerable to redirection on a hostile network. On a trusted network the risk is low; on shared or untrusted networks, TLS is the better choice.
Is TLS the same as Stratum V2? No. TLS adds encryption and authentication to today’s Stratum V1. Stratum V2 is a future protocol that builds in encryption by default and adds further changes like miner-built templates. TLS is available and widely supported right now.
Can I switch between TLS and plain TCP anytime? Yes. They’re just different ports on the same pool. You can switch back and forth freely with no effect on your mining history or payouts.
Next steps
Ready to connect securely? Head to the setup wizard, choose your coin and region, and enable TLS — it builds the exact configuration for you. New to solo mining? Start with the solo mining quick-start guide. Running small home hardware? The Bitaxe solo mining guide covers the coins that give you the best odds. Deciding what to point your hashrate at? The coin selection guide breaks down the trade-offs.
SoloFury is non-custodial solo mining across five SHA-256 coins (BTC, BCH, BC2, BCH2, XEC) with a 1% fee, nine global regions, and native TLS on every endpoint.