This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.
Go to file
2022-03-03 14:04:24 +00:00
.gitignore commit: last update of ct-log.txt. 2021-06-01 20:38:34 +00:00
01-preamble.md auto-update on Wed Mar 2 22:41:08 UTC 2022 2022-03-02 22:41:08 +00:00
02-footnotes.md auto-update on Sun Nov 21 23:44:00 UTC 2021 2021-11-21 23:44:00 +00:00
ct-log.md auto-update on Sat Feb 26 09:08:56 UTC 2022 2022-02-26 09:08:57 +00:00
ct-log.txt auto-update on Tue Jun 1 21:23:30 UTC 2021 2021-06-01 21:23:30 +00:00
get-ct-log.sh auto-update on Wed Jul 21 23:51:50 UTC 2021 2021-07-21 23:51:50 +00:00
get-fresh-csv.sh move v2 to legacy 2021-06-01 09:43:02 +00:00
get-securedrop-csv.py auto-update on Sun Nov 21 23:35:28 UTC 2021 2021-11-21 23:35:28 +00:00
Makefile auto-update on Tue 4 Feb 07:25:54 UTC 2020 2020-02-04 07:25:55 +00:00
manual-check.sh auto-update on Sat Nov 21 09:27:49 UTC 2020 2020-11-21 09:27:49 +00:00
master.csv auto-update on Wed Mar 2 22:41:08 UTC 2022 2022-03-02 22:41:08 +00:00
onion-ctlog.py auto-update on Mon Nov 22 03:48:15 UTC 2021 2021-11-22 03:48:15 +00:00
README.md auto-update on Thu Mar 3 14:04:24 UTC 2022 2022-03-03 14:04:24 +00:00
rwos-db.py auto-update on Sun Nov 21 23:44:00 UTC 2021 2021-11-21 23:44:00 +00:00
securedrop-api.csv auto-update on Wed Feb 16 22:34:30 UTC 2022 2022-02-16 22:34:30 +00:00
wrapper.sh auto-update on Thu Jun 24 16:28:31 UTC 2021 2021-06-24 16:28:31 +00:00

Real-World Onion Sites

This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.

  • no sites with an "onion-only" presence
  • no sites for products/technology with less than (arbitrary) 10,000 users
  • no nudity, exploitation, drugs, copyright infringement or sketchy-content sites
  • the editor reserves all rights to annotate or drop any or all entries as deemed fit
  • licensed: cc-by-sa
  • author/editor: alec muffett

You can find techical details and the legend/key for symbols in the footnotes section, below.


Index


Blogs

Alexander Færøy 🔐 HTTPS

Ctrl blog 🔺 HTTP

Dropsafe 🔐 HTTPS

Kushal Das 🔐 HTTPS

Michael Altfield 🔺 HTTP

Ming Di Leom 🔐 HTTPS

Nick Frichette 🔐 HTTPS


Civil Society And Community

Privacy International 🔐 HTTPS

Riseup Home 🔺 HTTP

Riseup Onion Index 🔺 HTTP

provides shared notepad, file sharing, code hosting, and other services

Systemli Home 🔺 HTTP

Systemli Onion Index 🔺 HTTP

provides shared notepad, spreadsheet, pastebin, and other services


Companies And Services

decoded:Legal 🔺 HTTP

english law firm


Education

BBC Learning English 🔐 HTTPS

includes resources for many languages

BBC Learning English: Mandarin 🔐 HTTPS


Government

US Central Intelligence Agency 🔺 HTTP


News And Media

BBC News 🔐 HTTPS

BBC News Arabic | عربى 🔐 HTTPS

BBC News Chinese | 中文 🔐 HTTPS

BBC News Persian | فارسی 🔐 HTTPS

BBC News Pidgin 🔐 HTTPS

BBC News Russian | Русская 🔐 HTTPS

BBC News Turkish | Türkçe 🔐 HTTPS

BBC News Vietnamese | Tiếng Việt 🔐 HTTPS

BBC News | In Your Language 🔐 HTTPS

language index

Deutsche Welle 🔐 HTTPS

also, see language index in titlebar

Deutsche Welle Arabic 🔐 HTTPS

Deutsche Welle Chinese 🔐 HTTPS

Deutsche Welle Persian 🔐 HTTPS

Deutsche Welle Russian 🔐 HTTPS

Deutsche Welle Turkish 🔐 HTTPS

ProPublica 🔐 HTTPS

Radio Free Europe 🔐 HTTPS

https://www.rfa.org/about/releases/mirror_websites-04172020105949.html

The Intercept 🔐 HTTPS

The New York Times 🔐 HTTPS


Tech And Software

Ablative Hosting 🔐 HTTPS

DEF CON Groups 🔺 HTTP

DEF CON Home 🔺 HTTP

DEF CON Media 🔺 HTTP

Debian Onion Index 🔺 HTTP

Hardened BSD Onion Index 🔺 HTTP

Impreza Hosting 🔐 HTTPS

OnionShare 🔺 HTTP

Qubes OS 🔺 HTTP

Tor Project Home 🔺 HTTP

Tor Project Onion Index 🔺 HTTP

everything tor

Whonix Forums 🔺 HTTP

Whonix Home 🔺 HTTP

keybase.io 🔺 HTTP


Web And Internet

Archive Today 🔺 HTTP

Cloudflare Public DNS 1.1.1.1 🔐 HTTPS

DuckDuckGo 🔐 HTTPS

Facebook 🔐 HTTPS

Facebook Mobile 🔐 HTTPS

HARICA Certificate Authority 🔐 HTTPS

Protonmail 🔐 HTTPS


Securedrop

2600: The Hacker Quarterly 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

ABC 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Aftenposten AS 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Aftonbladet 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Al Jazeera Media Network 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Apache 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Bloomberg Law 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Bloomberg News 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

CBC 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Dagbladet 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Financial Times 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Forbidden Stories 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

HuffPost 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Institute for Quantitative Social Science at Harvard University 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Investigace.cz 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Lessig.law LLC 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

NRK 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

New York Times 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

ProPublica 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Public Intelligence 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Stefania Maurizi 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Süddeutsche Zeitung 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

TV2 Denmark 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

TechCrunch 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

The Center for Public Integrity 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

The Globe and Mail 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

The Guardian 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

The Intercept 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

The Markup 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

The Washington Post 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Thomson Reuters 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Toronto Star 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

VICE Media 🔺 HTTP

via: https://securedrop.org/api/v1/directory/

Whistleblower Aid 🔺 HTTP

via: https://securedrop.org/api/v1/directory/


Flaky Sites

These sites have apparently stopped responding.

Impffrei.work 🔐 HTTPS

job agency

Internet Archive (archive.org) 🔐 HTTPS

The New York Times: Chinese 🔐 HTTPS

treacherous.tech 🔐 HTTPS


Footnotes

  • This file (README.md) is auto-generated
    • Do NOT submit changes NOR pull-requests for it
    • Please submit an Issue for consideration / change requests
  • If both v2 and v3 addresses are provided for a service, the v3 address will be preferred / cited
  • At the moment where an organisation runs 2+ onion addresses for closely related services that do not reflect distinct languages / national interests, I am posting a link to an index of their onions. Examples: Riseup, Systemli, TorProject, ...
  • The master list of Onion SSL EV Certificates may be viewed at https://crt.sh/?q=.onion

RWOS Status Detector

  • site up
  • ✳️ site up, and redirected to another page
  • 🚫 site up, but could not access the page
  • 🛑 site up, but reported a system error
  • 🆘 site returned no data, or is down, or curl experienced a transient network error (may be a problem with the RWOS server connection)
  • 🆕 site is newly added, no data yet

You can also see the history of updates.

Codes & Exit Statuses

Mouse-over the icons for details of HTTP codes, curl exit statuses, and the number of attempts made on each site.

TLS Security

Due to the fundamental protocol differences between HTTP and HTTPS, it is not wise to consider HTTP-over-Onion to be "as secure as HTTPS"; web browsers do and must treat HTTPS requests in ways that are fundamentally different to HTTP, e.g.:

  • with respect to cookie handling, or
  • where the trusted connection terminates, or
  • how to deal with loading embedded insecure content, or
  • whether to permit access to camera and microphone devices (WebRTC)

...and the necessity of broad adherence to web standards would make it harmful to attempt to optimise just one browser (e.g. Tor Browser) to elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion. Doubtless some browsers will attempt to implement "better-than-default trust and security via HTTP over onions", but this behaviour will not be standard, cannot be relied upon by clients/users, and will therefore be risky.

tl;dr - HTTP-over-Onion should not be considered as secure as HTTPS-over-Onion, and attempting to force it thusly will create a future compatibility mess for the ecosystem of onion-capable browsers.

Feedback

The issues page is the fastest and most effective way to submit a suggestion; if you lack a Github account, try messaging @alecmuffett on Twitter.


Back to Top