This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.
Go to file
2021-09-26 12:34:16 +00:00
.gitignore commit: last update of ct-log.txt. 2021-06-01 20:38:34 +00:00
01-preamble.md auto-update on Tue Jun 1 21:23:30 UTC 2021 2021-06-01 21:23:30 +00:00
02-footnotes.md auto-update on Tue Jun 1 21:23:30 UTC 2021 2021-06-01 21:23:30 +00:00
ct-log.md auto-update on Thu Sep 23 14:04:48 UTC 2021 2021-09-23 14:04:48 +00:00
ct-log.txt auto-update on Tue Jun 1 21:23:30 UTC 2021 2021-06-01 21:23:30 +00:00
get-ct-log.sh auto-update on Wed Jul 21 23:51:50 UTC 2021 2021-07-21 23:51:50 +00:00
get-fresh-csv.sh move v2 to legacy 2021-06-01 09:43:02 +00:00
get-securedrop-csv.py auto-update on Tue Jun 1 22:26:38 UTC 2021 2021-06-01 22:26:38 +00:00
Makefile auto-update on Tue 4 Feb 07:25:54 UTC 2020 2020-02-04 07:25:55 +00:00
manual-check.sh auto-update on Sat Nov 21 09:27:49 UTC 2020 2020-11-21 09:27:49 +00:00
master.csv auto-update on Thu Jul 22 10:26:56 UTC 2021 2021-07-22 10:26:56 +00:00
onion-ctlog.py auto-update on Thu Jul 22 14:15:48 UTC 2021 2021-07-22 14:15:48 +00:00
README.md auto-update on Sun Sep 26 12:34:16 UTC 2021 2021-09-26 12:34:16 +00:00
rwos-db.py auto-update on Fri Jun 25 05:41:55 UTC 2021 2021-06-25 05:41:56 +00:00
securedrop-api.csv auto-update on Tue Aug 3 19:24:33 UTC 2021 2021-08-03 19:24:33 +00:00
wrapper.sh auto-update on Thu Jun 24 16:28:31 UTC 2021 2021-06-24 16:28:31 +00:00

Real-World Onion Sites (v3-addresses only)

This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.

  • no sites with an "onion-only" presence
  • no sites for tech with less than (arbitrary) 10,000 users
  • no nudity, exploitation, drugs, copyright infringement or sketchy-content sites
  • the editor reserves all rights to annotate or drop any or all entries as deemed fit
  • licensed: cc-by-sa
  • author/editor: alec muffett

You can find techical details and the legend/key for symbols in the footnotes section, below.


Index


Blogs

Alexander Færøy 🔐

Ctrl blog 🔧

Dropsafe 🔐

Kushal Das 🔐

Ming Di Leom 🔐

Nick Frichette 🔐

treacherous.tech 🔐


Civil Society And Community

Privacy International 🔐

Riseup Home 🔧

Riseup Onion Index 🔧

provides shared notepad, file sharing, code hosting, and other services

Systemli Home 🔧

Systemli Onion Index 🔧

provides shared notepad, spreadsheet, pastebin, and other services


Companies And Services

Impffrei.work 🔐

job agency

decoded:Legal 🔧

english law firm


Education


Government

US Central Intelligence Agency 🔧


News And Media

Deutsche Welle 🔐

also, see language index in titlebar

Deutsche Welle Arabic 🔐

Deutsche Welle Chinese 🔐

Deutsche Welle Persian 🔐

Deutsche Welle Russian 🔐

Deutsche Welle Turkish 🔐

ProPublica 🔐

Radio Free Europe 🔐

https://www.rfa.org/about/releases/mirror_websites-04172020105949.html

The Intercept 🔐


Tech And Software

Ablative Hosting 🔐

DEF CON Groups 🔧

DEF CON Home 🔧

DEF CON Media 🔧

Hardened BSD Onion Index 🔧

Impreza Hosting 🔐

OnionShare 🔧

Qubes OS 🔧

Tor Project Home 🔧

Tor Project Onion Index 🔧

everything tor

Whonix Forums 🔧

Whonix Home 🔧

keybase.io 🔧


Web And Internet

Cloudflare Public DNS 1.1.1.1 🔐

DuckDuckGo 🔐

Facebook 🔐

Facebook Mobile 🔐

HARICA Certificate Authority 🔐

Protonmail 🔐


Globaleaks


Securedrop

2600: The Hacker Quarterly 🔧

via: https://securedrop.org/api/v1/directory/

ABC 🔧

via: https://securedrop.org/api/v1/directory/

Aftenposten AS 🔧

via: https://securedrop.org/api/v1/directory/

Aftonbladet 🔧

via: https://securedrop.org/api/v1/directory/

Al Jazeera Media Network 🔧

via: https://securedrop.org/api/v1/directory/

Apache 🔧

via: https://securedrop.org/api/v1/directory/

Bloomberg News 🔧

via: https://securedrop.org/api/v1/directory/

CBC 🔧

via: https://securedrop.org/api/v1/directory/

Dagbladet 🔧

via: https://securedrop.org/api/v1/directory/

Forbes 🔧

via: https://securedrop.org/api/v1/directory/

Forbidden Stories 🔧

via: https://securedrop.org/api/v1/directory/

HuffPost 🔧

via: https://securedrop.org/api/v1/directory/

Institute for Quantitative Social Science at Harvard University 🔧

via: https://securedrop.org/api/v1/directory/

Investigace.cz 🔧

via: https://securedrop.org/api/v1/directory/

NRK 🔧

via: https://securedrop.org/api/v1/directory/

New York Times 🔧

via: https://securedrop.org/api/v1/directory/

ProPublica 🔧

via: https://securedrop.org/api/v1/directory/

Public Intelligence 🔧

via: https://securedrop.org/api/v1/directory/

San Francisco Chronicle 🔧

via: https://securedrop.org/api/v1/directory/

Stefania Maurizi 🔧

via: https://securedrop.org/api/v1/directory/

Süddeutsche Zeitung 🔧

via: https://securedrop.org/api/v1/directory/

TV2 Denmark 🔧

via: https://securedrop.org/api/v1/directory/

TechCrunch 🔧

via: https://securedrop.org/api/v1/directory/

The Center for Public Integrity 🔧

via: https://securedrop.org/api/v1/directory/

The Globe and Mail 🔧

via: https://securedrop.org/api/v1/directory/

The Guardian 🔧

via: https://securedrop.org/api/v1/directory/

The Intercept 🔧

via: https://securedrop.org/api/v1/directory/

The Washington Post 🔧

via: https://securedrop.org/api/v1/directory/

Toronto Star 🔧

via: https://securedrop.org/api/v1/directory/

VICE Media 🔧

via: https://securedrop.org/api/v1/directory/

Whistleblower Aid 🔧

via: https://securedrop.org/api/v1/directory/

iROZHLAS 🔧

via: https://securedrop.org/api/v1/directory/


Securedrop For Individuals


Securedrop For Organisations


Legacy Sites

These sites have "legacy" v2 onion addresses.

2600: The Hacker Quarterly 🔧

ALAT / Allerta AntiCorruzione 🔧

italian whistleblowing

Adresseavisen 🔧

Afrileaks 🔧

Aftenposten 🔧

Aftonbladet 🔐

Al-Jazeera 🔧

Apache 🔧

Archive Today (archive.is) 🔧

Associated Press 🔧

Atlatszo MagyarLeaks 🔧

hungarian leaks

BBC Learning English 🔧

includes resources for many languages

BBC Learning English: Mandarin 🔧

BBC News 🔐

BBC News Arabic | عربى 🔐

BBC News Chinese | 中文 🔐

BBC News Persian | فارسی 🔐

BBC News Pidgin 🔐

BBC News Russian | Русская 🔐

BBC News Turkish | Türkçe 🔐

BBC News Vietnamese | Tiếng Việt 🔐

BBC News | In Your Language 🔐

language index

Barton Gellman 🔧

Bergens Tidende 🔧

Bezkorupce.cz 🔧

czech anticorruption reporting site

Bloomberg News 🔧

Brave (Web Browser) 🔐

Business Insider 🔧

BuzzFeed 🔧

BuzzFeed News 🔐

Coworker.org 🔧

Dagbladet 🔧

Debian Home 🔧

Debian Onion Index 🔧

everything debian

ExpressVPN 🔧

Fairfax Media Group (SMH et al.) 🔧

Financial Times 🔧

Forbes 🔧

Forbidden Stories 🔧

Gizmodo Media Group 🔧

Global Witness 🔧

Greenpeace New Zealand 🔧

Guardian 🔧

Heise Investigativ 🔧

Houston Chronicle 🔧

HuffPost 🔧

ICIJ / International Consortium of Investigative Journalists 🔧

IRPILeaks 🔧

italian investigative reporting project

Institute for Quantitative Social Science at Harvard University 🔧

Jean-Marc Manach 🔧

KUOW Public Radio 🔧

Lucy Parsons Labs 🔧

Mail2Tor 🔧

Mailpile 🔧

McClatchy DC 🔧

Meduza 🔧

Mexico Leaks 🔧

MormonLeaks / FaithLeaks 🔧

NBCNews 🔧

NPR 🔧

NRK 🔧

New York Times 🔐

POGO 🔧

project on government oversight

Pistaljka.rs Whistleblowing 🔧

Politico 🔧

Public Intelligence 🔧

RISE Moldova 🔧

Radio Free Asia: Cantonese 🔐

https://www.rfa.org/about/releases/mirror_websites-04172020105949.html

Radio Free Asia: English 🔐

https://www.rfa.org/about/releases/mirror_websites-04172020105949.html

Radio Free Asia: Mandarin 🔐

https://www.rfa.org/about/releases/mirror_websites-04172020105949.html

Radio-Canada 🔧

Reflets.info 🔧

Reporters Without Borders Helpdesk 🔐

Reuters 🔧

San Francisco Chronicle 🔧

Slate 🔧

Svenska Dagbladet 🔧

Süddeutsche Zeitung 🔧

The Atlantic 🔧

The Daily Beast 🔧

The Globe and Mail (Toronto) 🔧

The Intercept 🔧

The New York Times 🔐

The Telegraph 🔧

The Verge; Racked; Eater 🔧

The Washington Post 🔐

USA Today 🔐

VG / Verdens Gang 🔧

VICE Media 🔧

Wall Street Journal 🔧

Whistleblower Aid 🔧

Wildleaks 🔧

elephant action league

Wired 🔧

XNet Activism 🔧

anticorruption whistleblowing

disclose.ngo 🔧

taz 🔧

Žvižgač 🔧

slovenian whistleblower organisation


Flaky Sites

These sites have apparently stopped responding.

Field of Vision 🔧

Internet Archive (archive.org) 🔐

Toronto Crime Stoppers 🔧


Footnotes

  • This file (README.md) is auto-generated
    • Do NOT submit changes NOR pull-requests for it
    • Please submit an Issue for consideration / change requests
  • If both v2 and v3 addresses are provided for a service, the v3 address will be preferred / cited
  • At the moment where an organisation runs 2+ onion addresses for closely related services that do not reflect distinct languages / national interests, I am posting a link to an index of their onions. Examples: Riseup, Systemli, TorProject, ...
  • The master list of Onion SSL EV Certificates may be viewed at https://crt.sh/?q=.onion

RWOS Status Detector

  • site up
  • ✳️ site up, and redirected to another page
  • 🚫 site up, but could not access the page
  • 🛑 site up, but reported a system error
  • 🆘 site returned no data, or is down, or curl experienced a transient network error (may be a problem with the RWOS server connection)
  • 🆕 site is newly added, no data yet

You can also see the history of updates.

Codes & Exit Statuses

Mouse-over the icons for details of HTTP codes, curl exit statuses, and the number of attempts made on each site.

TLS Security

Due to the fundamental protocol differences between HTTP and HTTPS, it is not wise to consider HTTP-over-Onion to be "as secure as HTTPS"; web browsers do and must treat HTTPS requests in ways that are fundamentally different to HTTP, e.g.:

  • with respect to cookie handling, or
  • where the trusted connection terminates, or
  • how to deal with loading embedded insecure content, or
  • whether to permit access to camera and microphone devices (WebRTC)

...and the necessity of broad adherence to web standards would make it harmful to attempt to optimise just one browser (e.g. Tor Browser) to elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion. Doubtless some browsers will attempt to implement "better-than-default trust and security via HTTP over onions", but this behaviour will not be standard, cannot be relied upon by clients/users, and will therefore be risky.

tl;dr - HTTP-over-Onion should not be considered as secure as HTTPS-over-Onion, and attempting to force it thusly will create a future compatibility mess for the ecosystem of onion-capable browsers.

  • 🔧 semi-secure HTTP Onion site, protected by Onion circuits at best; will not respect browser secure/HTTPS behaviour
  • 🔐 secure HTTPS Onion site, protected by both Onion circuits and TLS, will respect browser secure/HTTPS behaviour

Feedback

The issues page is the fastest and most effective way to submit a suggestion; if you lack a Github account, try messaging @alecmuffett on Twitter.


Back to Top