mirror of
https://github.com/alecmuffett/real-world-onion-sites.git
synced 2024-10-01 01:06:18 -04:00
3.1 KiB
3.1 KiB
Real-World Onion Sites
This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.
- no sites with an "onion-only" presence
- no sites for tech with less than (arbitrary) 10,000 users
- no nudity, exploitation, drugs, copyright infringement or sketchy-content sites
- the editor reserves all rights to annotate or drop any or all entries as deemed fit
- updated: see the change history for specifics
- licensed: cc-by-sa
- author/editor: alec muffett
Notes
- If both v2 and v3 addresses are provided for a service, the v3 address will be preferred / cited
- The master list of Onion SSL EV Certificates may be viewed at https://crt.sh/?q=%25.onion
- This file (
README.md) is auto-generated; do not submit changes nor pull-requests for it- Please submit an
Issuefor consideration / change requests
- Please submit an
RWOS Status Detector
- ✅ site up
- ✳️ site up, and redirected to another page
- 🚫 site up, but could not access the page
- 🛑 site up, but reported a system error
- 🆘 site returned no data, or is down, or curl experienced a transient network error
- 🆕 site is newly added, no data yet
You can also see the history of updates.
Codes & Exit Statuses
Mouse-over the icons for details of HTTP codes, curl exit statuses, and the number of attempts made on each site.
- codes are from HTTP and are documented elsewhere; RWOS-internal ones include:
901,902,903- malformed HTTP response904- HTTP status code parse error910- connection timeout
- exits are from Curl and are documented elsewhere; common ones include:
7- "curl couldn't connect"52- "curl got nothing", received no data from upstream
TLS Security
- 🔧 semi-secure HTTP Onion site, protected by Onion circuits at best; will not respect browser secure/HTTPS behaviour
- 🔐 secure HTTPS Onion site, protected by both Onion circuits and TLS, will respect browser secure/HTTPS behaviour
- Due to the fundamental protocol differences between
HTTPandHTTPS, it is not wise to consider HTTP-over-Onion to be "as secure as HTTPS"; web browsers do and must treat HTTPS in ways that are fundamentally more secure than HTTP - e.g.: with respect to cookie handling, where the trusted connection terminates, or in loading insecure content - and the necessity of broad adherence to web standards would make it harmful to attempt to optimise just one browser (Tor Browser) to elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion. - tl;dr - HTTP-over-Onion is not as secure as HTTPS-over-Onion, and attempting to force it to be so will create a compatibility mess for the ecosystem of onion-capable browsers.