*sigh*

the message should not just have a challenge but a challenge pubkey, and then the response can be encrypted, and it can be done over a proxy

TLS has been broken several times before, it's not immune to various kinds of MITM and side channel attacks, and enabling proxy relays opens up a heap of options for relay services