mirror of
https://github.com/alecmuffett/real-world-onion-sites.git
synced 2024-10-01 01:06:18 -04:00
commit: move to footnotes
This commit is contained in:
parent
95688a6533
commit
75bff9b4e4
@ -8,70 +8,8 @@ This is a list of substantial, commercial-or-social-good mainstream websites whi
|
||||
sketchy-content sites
|
||||
- the editor reserves all rights to annotate or drop any or all
|
||||
entries as deemed fit
|
||||
- updated: [see the change history for specifics](https://github.com/alecmuffett/onion-sites-that-dont-suck/commits/master/README.md)
|
||||
- licensed: cc-by-sa
|
||||
- author/editor: alec muffett
|
||||
|
||||
## Notes
|
||||
|
||||
- If both v2 and v3 addresses are provided for a service, the v3
|
||||
address will be preferred / cited
|
||||
- The master list of Onion SSL EV Certificates may be viewed at
|
||||
https://crt.sh/?q=%25.onion
|
||||
- This file (`README.md`) is auto-generated; do not submit changes nor
|
||||
pull-requests for it
|
||||
- Please submit an `Issue` for consideration / change requests
|
||||
|
||||
### RWOS Status Detector
|
||||
|
||||
- :white_check_mark: site up
|
||||
- :eight_spoked_asterisk: site up, and redirected to another page
|
||||
- :no_entry_sign: site up, but could not access the page
|
||||
- :stop_sign: site up, but reported a system error
|
||||
- :sos: site returned no data, or is down, or curl experienced a
|
||||
transient network error
|
||||
- :new: site is newly added, no data yet
|
||||
|
||||
You can also see the [history of updates](https://github.com/alecmuffett/real-world-onion-sites/commits/master/README.md).
|
||||
|
||||
### Codes & Exit Statuses
|
||||
|
||||
Mouse-over the icons for details of HTTP codes, curl exit statuses,
|
||||
and the number of attempts made on each site.
|
||||
|
||||
- codes [are from HTTP and are documented elsewhere](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes); RWOS-internal ones include:
|
||||
- `901`, `902`, `903` - malformed HTTP response
|
||||
- `904` - HTTP status code parse error
|
||||
- `910` - connection timeout
|
||||
- exits [are from Curl and are documented elsewhere](https://curl.haxx.se/libcurl/c/libcurl-errors.html); common ones include:
|
||||
- `7` - "curl couldn't connect"
|
||||
- `52` - "curl got nothing", received no data from upstream
|
||||
|
||||
### TLS Security
|
||||
|
||||
Due to the fundamental protocol differences between `HTTP` and
|
||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||
as HTTPS"; web browsers **do** and **must** treat HTTPS requests in
|
||||
ways that are fundamentally different to HTTP, e.g.:
|
||||
|
||||
- with respect to cookie handling, or
|
||||
- where the trusted connection terminates, or
|
||||
- how to deal with loading embedded insecure content, or
|
||||
- whether to permit access to camera and microphone devices (WebRTC)
|
||||
|
||||
...and the necessity of broad adherence to web standards would make it
|
||||
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
|
||||
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
|
||||
let alone HTTPS-over-Onion. Doubtless some browsers will *attempt* to
|
||||
implement "better-than-default trust and security via HTTP over
|
||||
onions", but this behaviour will not be **standard**, cannot be
|
||||
**relied upon** by clients/users, and will therefore be **risky**.
|
||||
|
||||
**tl;dr** - HTTP-over-Onion should not be considered as secure as
|
||||
HTTPS-over-Onion, and attempting to force it thusly will create a
|
||||
future compatibility mess for the ecosystem of onion-capable browsers.
|
||||
|
||||
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
||||
best; will not respect browser secure/HTTPS behaviour
|
||||
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
||||
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
||||
Techical details and the legend/key for symbols, will be found in the
|
||||
[footnotes section](#footnotes), below.
|
||||
|
@ -1,4 +1,69 @@
|
||||
## Don't have a GitHub account?
|
||||
## Footnotes
|
||||
|
||||
GitHub is certainly the fastest and most effective way to submit a
|
||||
suggestion; if you lack that, try `@alecmuffett` on Twitter.
|
||||
- If both v2 and v3 addresses are provided for a service, the v3
|
||||
address will be preferred / cited
|
||||
- The master list of Onion SSL EV Certificates may be viewed at
|
||||
https://crt.sh/?q=%25.onion
|
||||
- This file (`README.md`) is auto-generated; do not submit changes nor
|
||||
pull-requests for it
|
||||
- Please submit an `Issue` for consideration / change requests
|
||||
|
||||
### RWOS Status Detector
|
||||
|
||||
- :white_check_mark: site up
|
||||
- :eight_spoked_asterisk: site up, and redirected to another page
|
||||
- :no_entry_sign: site up, but could not access the page
|
||||
- :stop_sign: site up, but reported a system error
|
||||
- :sos: site returned no data, or is down, or curl experienced a
|
||||
transient network error
|
||||
- :new: site is newly added, no data yet
|
||||
|
||||
You can also see the [history of updates](https://github.com/alecmuffett/real-world-onion-sites/commits/master/README.md).
|
||||
|
||||
### Codes & Exit Statuses
|
||||
|
||||
Mouse-over the icons for details of HTTP codes, curl exit statuses,
|
||||
and the number of attempts made on each site.
|
||||
|
||||
- codes [are from HTTP and are documented elsewhere](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes); RWOS-internal ones include:
|
||||
- `901`, `902`, `903` - malformed HTTP response
|
||||
- `904` - HTTP status code parse error
|
||||
- `910` - connection timeout
|
||||
- exits [are from Curl and are documented elsewhere](https://curl.haxx.se/libcurl/c/libcurl-errors.html); common ones include:
|
||||
- `7` - "curl couldn't connect"
|
||||
- `52` - "curl got nothing", received no data from upstream
|
||||
|
||||
### TLS Security
|
||||
|
||||
Due to the fundamental protocol differences between `HTTP` and
|
||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||
as HTTPS"; web browsers **do** and **must** treat HTTPS requests in
|
||||
ways that are fundamentally different to HTTP, e.g.:
|
||||
|
||||
- with respect to cookie handling, or
|
||||
- where the trusted connection terminates, or
|
||||
- how to deal with loading embedded insecure content, or
|
||||
- whether to permit access to camera and microphone devices (WebRTC)
|
||||
|
||||
...and the necessity of broad adherence to web standards would make it
|
||||
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
|
||||
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
|
||||
let alone HTTPS-over-Onion. Doubtless some browsers will *attempt* to
|
||||
implement "better-than-default trust and security via HTTP over
|
||||
onions", but this behaviour will not be **standard**, cannot be
|
||||
**relied upon** by clients/users, and will therefore be **risky**.
|
||||
|
||||
**tl;dr** - HTTP-over-Onion should not be considered as secure as
|
||||
HTTPS-over-Onion, and attempting to force it thusly will create a
|
||||
future compatibility mess for the ecosystem of onion-capable browsers.
|
||||
|
||||
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
||||
best; will not respect browser secure/HTTPS behaviour
|
||||
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
||||
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
||||
|
||||
### Feedback
|
||||
|
||||
[The issues page](https://github.com/alecmuffett/real-world-onion-sites/issues)
|
||||
is the fastest and most effective way to submit a suggestion; if you
|
||||
lack a Github account, try messaging `@alecmuffett` on Twitter.
|
||||
|
137
README.md
137
README.md
@ -8,73 +8,11 @@ This is a list of substantial, commercial-or-social-good mainstream websites whi
|
||||
sketchy-content sites
|
||||
- the editor reserves all rights to annotate or drop any or all
|
||||
entries as deemed fit
|
||||
- updated: [see the change history for specifics](https://github.com/alecmuffett/onion-sites-that-dont-suck/commits/master/README.md)
|
||||
- licensed: cc-by-sa
|
||||
- author/editor: alec muffett
|
||||
|
||||
## Notes
|
||||
|
||||
- If both v2 and v3 addresses are provided for a service, the v3
|
||||
address will be preferred / cited
|
||||
- The master list of Onion SSL EV Certificates may be viewed at
|
||||
https://crt.sh/?q=%25.onion
|
||||
- This file (`README.md`) is auto-generated; do not submit changes nor
|
||||
pull-requests for it
|
||||
- Please submit an `Issue` for consideration / change requests
|
||||
|
||||
### RWOS Status Detector
|
||||
|
||||
- :white_check_mark: site up
|
||||
- :eight_spoked_asterisk: site up, and redirected to another page
|
||||
- :no_entry_sign: site up, but could not access the page
|
||||
- :stop_sign: site up, but reported a system error
|
||||
- :sos: site returned no data, or is down, or curl experienced a
|
||||
transient network error
|
||||
- :new: site is newly added, no data yet
|
||||
|
||||
You can also see the [history of updates](https://github.com/alecmuffett/real-world-onion-sites/commits/master/README.md).
|
||||
|
||||
### Codes & Exit Statuses
|
||||
|
||||
Mouse-over the icons for details of HTTP codes, curl exit statuses,
|
||||
and the number of attempts made on each site.
|
||||
|
||||
- codes [are from HTTP and are documented elsewhere](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes); RWOS-internal ones include:
|
||||
- `901`, `902`, `903` - malformed HTTP response
|
||||
- `904` - HTTP status code parse error
|
||||
- `910` - connection timeout
|
||||
- exits [are from Curl and are documented elsewhere](https://curl.haxx.se/libcurl/c/libcurl-errors.html); common ones include:
|
||||
- `7` - "curl couldn't connect"
|
||||
- `52` - "curl got nothing", received no data from upstream
|
||||
|
||||
### TLS Security
|
||||
|
||||
Due to the fundamental protocol differences between `HTTP` and
|
||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||
as HTTPS"; web browsers **do** and **must** treat HTTPS requests in
|
||||
ways that are fundamentally different to HTTP, e.g.:
|
||||
|
||||
- with respect to cookie handling, or
|
||||
- where the trusted connection terminates, or
|
||||
- how to deal with loading embedded insecure content, or
|
||||
- whether to permit access to camera and microphone devices (WebRTC)
|
||||
|
||||
...and the necessity of broad adherence to web standards would make it
|
||||
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
|
||||
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
|
||||
let alone HTTPS-over-Onion. Doubtless some browsers will *attempt* to
|
||||
implement "better-than-default trust and security via HTTP over
|
||||
onions", but this behaviour will not be **standard**, cannot be
|
||||
**relied upon** by clients/users, and will therefore be **risky**.
|
||||
|
||||
**tl;dr** - HTTP-over-Onion should not be considered as secure as
|
||||
HTTPS-over-Onion, and attempting to force it thusly will create a
|
||||
future compatibility mess for the ecosystem of onion-capable browsers.
|
||||
|
||||
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
||||
best; will not respect browser secure/HTTPS behaviour
|
||||
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
||||
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
||||
Techical details and the legend/key for symbols, will be found in the
|
||||
[footnotes section](#footnotes), below.
|
||||
|
||||
----
|
||||
# Index
|
||||
@ -898,8 +836,73 @@ These sites have apparently stopped responding.
|
||||
* proof: [link](https://apps.voxmedia.com/verge-tips/)
|
||||
|
||||
|
||||
## Don't have a GitHub account?
|
||||
## Footnotes
|
||||
|
||||
GitHub is certainly the fastest and most effective way to submit a
|
||||
suggestion; if you lack that, try `@alecmuffett` on Twitter.
|
||||
- If both v2 and v3 addresses are provided for a service, the v3
|
||||
address will be preferred / cited
|
||||
- The master list of Onion SSL EV Certificates may be viewed at
|
||||
https://crt.sh/?q=%25.onion
|
||||
- This file (`README.md`) is auto-generated; do not submit changes nor
|
||||
pull-requests for it
|
||||
- Please submit an `Issue` for consideration / change requests
|
||||
|
||||
### RWOS Status Detector
|
||||
|
||||
- :white_check_mark: site up
|
||||
- :eight_spoked_asterisk: site up, and redirected to another page
|
||||
- :no_entry_sign: site up, but could not access the page
|
||||
- :stop_sign: site up, but reported a system error
|
||||
- :sos: site returned no data, or is down, or curl experienced a
|
||||
transient network error
|
||||
- :new: site is newly added, no data yet
|
||||
|
||||
You can also see the [history of updates](https://github.com/alecmuffett/real-world-onion-sites/commits/master/README.md).
|
||||
|
||||
### Codes & Exit Statuses
|
||||
|
||||
Mouse-over the icons for details of HTTP codes, curl exit statuses,
|
||||
and the number of attempts made on each site.
|
||||
|
||||
- codes [are from HTTP and are documented elsewhere](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes); RWOS-internal ones include:
|
||||
- `901`, `902`, `903` - malformed HTTP response
|
||||
- `904` - HTTP status code parse error
|
||||
- `910` - connection timeout
|
||||
- exits [are from Curl and are documented elsewhere](https://curl.haxx.se/libcurl/c/libcurl-errors.html); common ones include:
|
||||
- `7` - "curl couldn't connect"
|
||||
- `52` - "curl got nothing", received no data from upstream
|
||||
|
||||
### TLS Security
|
||||
|
||||
Due to the fundamental protocol differences between `HTTP` and
|
||||
`HTTPS`, it is not wise to consider HTTP-over-Onion to be "as secure
|
||||
as HTTPS"; web browsers **do** and **must** treat HTTPS requests in
|
||||
ways that are fundamentally different to HTTP, e.g.:
|
||||
|
||||
- with respect to cookie handling, or
|
||||
- where the trusted connection terminates, or
|
||||
- how to deal with loading embedded insecure content, or
|
||||
- whether to permit access to camera and microphone devices (WebRTC)
|
||||
|
||||
...and the necessity of broad adherence to web standards would make it
|
||||
harmful to attempt to optimise just one browser (e.g. Tor Browser) to
|
||||
elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP,
|
||||
let alone HTTPS-over-Onion. Doubtless some browsers will *attempt* to
|
||||
implement "better-than-default trust and security via HTTP over
|
||||
onions", but this behaviour will not be **standard**, cannot be
|
||||
**relied upon** by clients/users, and will therefore be **risky**.
|
||||
|
||||
**tl;dr** - HTTP-over-Onion should not be considered as secure as
|
||||
HTTPS-over-Onion, and attempting to force it thusly will create a
|
||||
future compatibility mess for the ecosystem of onion-capable browsers.
|
||||
|
||||
- :wrench: semi-secure HTTP Onion site, protected by Onion circuits at
|
||||
best; will not respect browser secure/HTTPS behaviour
|
||||
- :closed_lock_with_key: secure HTTPS Onion site, protected by both
|
||||
Onion circuits and TLS, will respect browser secure/HTTPS behaviour
|
||||
|
||||
### Feedback
|
||||
|
||||
[The issues page](https://github.com/alecmuffett/real-world-onion-sites/issues)
|
||||
is the fastest and most effective way to submit a suggestion; if you
|
||||
lack a Github account, try messaging `@alecmuffett` on Twitter.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user