This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.
Go to file
2024-03-30 21:16:58 +00:00
.gitignore auto-update on Sat Mar 5 09:36:42 UTC 2022 2022-03-05 09:36:42 +00:00
01-preamble.md auto-update on Wed Jun 7 21:23:35 UTC 2023 2023-06-07 21:23:35 +00:00
02-footnotes.md auto-update on Wed Apr 13 11:25:39 UTC 2022 2022-04-13 11:25:39 +00:00
ct-log.md auto-update on Thu Mar 28 14:26:20 UTC 2024 2024-03-28 14:26:20 +00:00
ct-log.txt auto-update on Tue Jun 1 21:23:30 UTC 2021 2021-06-01 21:23:30 +00:00
dump-site.sh auto-update on Sun Apr 10 10:40:30 UTC 2022 2022-04-10 10:40:30 +00:00
get-ct-log.sh auto-update on Thu Nov 2 23:29:07 UTC 2023 2023-11-02 23:29:07 +00:00
get-fresh-csv.sh move v2 to legacy 2021-06-01 09:43:02 +00:00
get-securedrop-csv.py auto-update on Sat Mar 5 23:12:50 UTC 2022 2022-03-05 23:12:50 +00:00
Makefile auto-update on Tue 4 Feb 07:25:54 UTC 2020 2020-02-04 07:25:55 +00:00
manual-check.sh auto-update on Sat Nov 21 09:27:49 UTC 2020 2020-11-21 09:27:49 +00:00
master.csv auto-update on Sat Jan 6 21:16:50 UTC 2024 2024-01-06 21:16:50 +00:00
onion-ctlog.py auto-update on Sat Mar 5 09:36:42 UTC 2022 2022-03-05 09:36:42 +00:00
README.md auto-update on Sat Mar 30 21:16:58 UTC 2024 2024-03-30 21:16:58 +00:00
rwos-db.py auto-update on Wed Apr 13 11:25:39 UTC 2022 2022-04-13 11:25:39 +00:00
securedrop-api.csv auto-update on Sat Mar 2 09:15:50 UTC 2024 2024-03-02 09:15:50 +00:00
wrapper.sh commit: service got stale, cleaning up. 2023-04-24 15:39:20 +00:00

Real-World Onion Sites

Note: database fully reset, 7 june 2023; expect occasional outages and tweaks as it is brought up to date.

This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.

  • no sites with an "onion-only" presence
  • no sites for products/technology with less than (arbitrary) 10,000 users
  • no nudity, exploitation, drugs, copyright infringement or sketchy-content sites
  • the editor reserves all rights to annotate or drop any or all entries as deemed fit
  • licensed: cc-by-sa
  • author/editor: alec muffett

Legend/Key for Symbols

You can find techical details and the legend/key for symbols in the footnotes section, below.

Regarding Updates and Suggestions

  • This file (README.md) is auto-generated from a spreadsheet
  • Please submit an Issue for consideration / desired change requests
  • Do NOT submit changes NOR pull-requests for it
  • Re: SecureDrop - all SecureDrop entries are taken automatically from https://securedrop.org/api/v1/directory/ and must be amended on that site, not this one.

Index


Blogs

Alexander Færøy

Ctrl blog

Dropsafe | Alec Muffett

Kushal Das

Michael Altfield

Ming Di Leom

Nick Frichette

Shen's Essays

⬆️ return to top index


Civil Society and Community

Privacy International

Riseup Home

Riseup Onion Index

provides shared notepad, file sharing, code hosting, and other services

Systemli Home

Systemli Onion Index

provides shared notepad, spreadsheet, pastebin, and other services

WikiFesad

decoded.legal

*english law firm; see also https://neilzone.co.uk/2022/03/upgrading-my-onion-site-to-https *

⬆️ return to top index


Education

BBC Learning English

includes resources for many languages

BBC Learning English: Mandarin

⬆️ return to top index


Government

US Central Intelligence Agency

⬆️ return to top index


News

BBC

Bellingcat

Bellingcat | es

Bellingcat | fr

Bellingcat | ru

Bellingcat | ua

Deutsche Welle

see language index in titlebar

ProPublica

Radio Free Europe | RFERL

https://www.rfa.org/about/releases/mirror_websites-04172020105949.html

The Guardian

The Intercept

The New York Times

Voice of America | VOA

Yahoo News

⬆️ return to top index


News BBC World Service

BBC News /afaanoromoo | Afaan Oromoo

BBC News /afrique | Afrique

BBC News /amharic | አማርኛ

BBC News /arabic | عربي

BBC News /azeri | Azərbaycanca

BBC News /bengali | বাংলা

BBC News /burmese | မြန်မာ

BBC News /gahuza | Gahuza

BBC News /gujarati | ગુજરાતી

BBC News /hausa | Hausa

BBC News /hindi | हिंदी

BBC News /igbo | Ìgbò

BBC News /indonesia | Indonesia

BBC News /korean | 코리아

BBC News /kyrgyz | Кыргыз КызMATы

BBC News /marathi | मराठी

BBC News /mundo | Mundo

BBC News /nepali | नेपाली

BBC News /pashto | پښتو

BBC News /persian | فارسی

BBC News /pidgin | Pidgin

BBC News /portuguese | Brasil

BBC News /punjabi | ਪੰਜਾਬੀ

BBC News /russian | Русская служба

BBC News /serbian/cyr | на српском

BBC News /serbian/lat | na srpskom

BBC News /sinhala | සිංහල

BBC News /somali | Somali

BBC News /swahili | Swahili

BBC News /tamil | தமிழ்

BBC News /telugu | తెలుగు

BBC News /thai | ไทย

BBC News /tigrinya | ትግርኛ

BBC News /turkce | Türkçe

BBC News /ukrainian | Україна

BBC News /urdu | اردو

BBC News /uzbek | O'zbek

BBC News /vietnamese | Tiếng Việt

BBC News /yoruba | Yorùbá

BBC News /zhongwen/simp | 中文

BBC News /zhongwen/trad | 中文

BBC News | In Your Language

language index

⬆️ return to top index


News Deutsche Welle World

Deutsche Welle Albanian | Shqip

Deutsche Welle Amharic | አማርኛ

Deutsche Welle Arabic | العربية

Deutsche Welle Bengali | বাংলা

Deutsche Welle Bosnian | B/H/S

Deutsche Welle Bulgarian | Български

Deutsche Welle Chinese (Simplified) | 简

Deutsche Welle Chinese (Traditional) | 繁

Deutsche Welle Croatian | Hrvatski

Deutsche Welle Dari | دری

Deutsche Welle English | English

Deutsche Welle French | Français

Deutsche Welle German | Deutsch

Deutsche Welle Greek | Ελληνικά

Deutsche Welle Hausa | Hausa

Deutsche Welle Hindi | हिन्दी

Deutsche Welle Indonesian | Indonesia

Deutsche Welle Kiswahili | Kiswahili

Deutsche Welle Macedonian | Македонски

Deutsche Welle Pashto | پښتو

Deutsche Welle Persian | فارسی

Deutsche Welle Polish | Polski

Deutsche Welle Portuguese | Português do Brasil

Deutsche Welle Portuguese | Português para África

cannot find top-page redirect

Deutsche Welle Romanian | Română

Deutsche Welle Russian | Русский

Deutsche Welle Serbian | Српски/Srpski

Deutsche Welle Spanish | Español

Deutsche Welle Turkish | Türkçe

Deutsche Welle Ukrainian | Українська

Deutsche Welle Urdu | اردو

⬆️ return to top index


News RFERL & VOA

RFERL azatliq | Азатлык хәбәрләре

RFERL currenttime.tv | Настоящее Время

RFERL europalibera md | Europa Liberă

RFERL europalibera ro | Europa Liberă

RFERL farda | رادیو فردا

RFERL idelreal | Idel Реалии

RFERL kavkazr | Кавказ Реалии

RFERL krymr ktat | Qırım Aqiqat

RFERL krymr ru | Крым Реалии

RFERL krymr ua | Крим Реалії

RFERL radiomarsho | Маршо Радион

RFERL severreal | Сибирь Реалии

RFERL sibreal | Сибирь Реалии

RFERL svaboda | Радыё Свабода

VOA russian | Голоса Америки

VOA turkish | Amerika'nın Sesi

⬆️ return to top index


Search Engines

Brave Search

works fine, but seems to block curl / upness-tester; ignore status codes below

DuckDuckGo Search

⬆️ return to top index


Social Networks

Facebook

Facebook Mobile

Reddit

Twitter

⬆️ return to top index


Tech and Software

Ablative Hosting

DEF CON Groups

DEF CON Home

DEF CON Media

Debian Onion Index

Hardened BSD Onion Index

Impreza Hosting

OnionShare

Qubes OS

Tor Project Home

Tor Project Onion Index

everything tor-related

Whonix Forums

Whonix Home

keybase.io

⬆️ return to top index


Web and Internet

Archive Today

Cloudflare Public DNS 1.1.1.1

HARICA Certificate Authority

Protonmail

⬆️ return to top index


SecureDrop

2600: The Hacker Quarterly

via: https://securedrop.org/api/v1/directory/

Aftenposten AS

via: https://securedrop.org/api/v1/directory/

Aftonbladet

via: https://securedrop.org/api/v1/directory/

Al Jazeera Media Network

via: https://securedrop.org/api/v1/directory/

Apache

via: https://securedrop.org/api/v1/directory/

Bloomberg Industry Group

via: https://securedrop.org/api/v1/directory/

Bloomberg News

via: https://securedrop.org/api/v1/directory/

CBC

via: https://securedrop.org/api/v1/directory/

CNN

via: https://securedrop.org/api/v1/directory/

DR - Danish Broadcasting Corporation

via: https://securedrop.org/api/v1/directory/

Dagbladet

via: https://securedrop.org/api/v1/directory/

Der Spiegel

via: https://securedrop.org/api/v1/directory/

Disclose

via: https://securedrop.org/api/v1/directory/

Financial Times

via: https://securedrop.org/api/v1/directory/

Forbes

via: https://securedrop.org/api/v1/directory/

Forbidden Stories

via: https://securedrop.org/api/v1/directory/

Institute for Quantitative Social Science at Harvard University

via: https://securedrop.org/api/v1/directory/

NOYB

via: https://securedrop.org/api/v1/directory/

NRK

via: https://securedrop.org/api/v1/directory/

New York Times

via: https://securedrop.org/api/v1/directory/

POLITICO

via: https://securedrop.org/api/v1/directory/

Public Intelligence

via: https://securedrop.org/api/v1/directory/

Stefania Maurizi

via: https://securedrop.org/api/v1/directory/

Süddeutsche Zeitung

via: https://securedrop.org/api/v1/directory/

TV2 Denmark

via: https://securedrop.org/api/v1/directory/

Taz

via: https://securedrop.org/api/v1/directory/

TechCrunch

via: https://securedrop.org/api/v1/directory/

The Globe and Mail

via: https://securedrop.org/api/v1/directory/

The Guardian

via: https://securedrop.org/api/v1/directory/

The Intercept

via: https://securedrop.org/api/v1/directory/

The Washington Post

via: https://securedrop.org/api/v1/directory/

Toronto Star

via: https://securedrop.org/api/v1/directory/

Whistleblower Aid

via: https://securedrop.org/api/v1/directory/

⬆️ return to top index


Flaky Sites

These sites have apparently stopped responding.

The New York Times: Chinese

treacherous.tech

⬆️ return to top index


Footnotes

  • At the moment where an organisation runs 2+ onion addresses for closely related services that do not reflect distinct languages / national interests, I am posting a link to an index of their onions. Examples: Riseup, Systemli, TorProject, ...
  • The master list of Onion SSL EV Certificates may be viewed at https://crt.sh/?q=.onion

RWOS Status Detector

  • site up
  • ✳️ site up, and redirected to another page
  • 🚫 site up, but could not access the page
  • 🛑 site up, but reported a system error
  • 🆘 site returned no data, or is down, or curl experienced a transient or permanent network error; may also reflect a problem with the RWOS server connection
  • same as 🆘 but curl specifically mentioned inability to fetch an onion descriptor
  • same as 🆘 but curl specifically mentioned inability to connect to the server
  • same as 🆘 but curl specifically mentioned connection timeout as an issue
  • ⏲️ same as 🆘 but curl specifically mentioned ttl expiry as an issue
  • 🔑 same as 🆘 but curl specifically mentioned SSL certificates as an issue
  • 🆕 site is newly added, no data yet

You can also see the history of updates.

Codes & Exit Statuses

Mouse-over the icons for details of HTTP codes, curl exit statuses, and the number of attempts made on each site.

  • codes are from HTTP and are documented elsewhere; RWOS-internal ones include:
    • 901 - malformed HTTP response
    • 902 - malformed HTTP response
    • 903 - malformed HTTP response, commonly including (e.g.) invalid HTTPS certificate
    • 904 - HTTP status code parse error
    • 910 - connection timeout
  • exits are from Curl and are documented elsewhere; common ones include:
    • 7 - "curl couldn't connect"
    • 52 - "curl got nothing", received no data from upstream

TLS Security

Due to the fundamental protocol differences between HTTP and HTTPS, it is not wise to consider HTTP-over-Onion to be "as secure as HTTPS"; web browsers do and must treat HTTPS requests in ways that are fundamentally different to HTTP, e.g.:

  • with respect to cookie handling, or
  • where the trusted connection terminates, or
  • how to deal with loading embedded insecure content, or
  • whether to permit access to camera and microphone devices (WebRTC)

...and the necessity of broad adherence to web standards would make it harmful to attempt to optimise just one browser (e.g. Tor Browser) to elevate HTTP-over-Onion to the same levels of trust as HTTPS-over-TCP, let alone HTTPS-over-Onion. Doubtless some browsers will attempt to implement "better-than-default trust and security via HTTP over onions", but this behaviour will not be standard, cannot be relied upon by clients/users, and will therefore be risky.

tl;dr - HTTP-over-Onion should not be considered as secure as HTTPS-over-Onion, and attempting to force it thusly will create a future compatibility mess for the ecosystem of onion-capable browsers.

Feedback

The issues page is the fastest and most effective way to submit a suggestion; if you lack a Github account, try messaging @alecmuffett on Twitter.


Back to Top