
A More Secure and Anonymous ProPublica Using Tor Hidden Services - danso
https://www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services
======
mike-cardwell
They link to the HTTP version of their Onion address:

[http://www.propub3r6espa33w.onion/](http://www.propub3r6espa33w.onion/)

A bunch of important resources like CSS and images fail to load for me because
their Content-Security-Policy dictates that non-https resources should be
upgraded. However, the certificate isn't trusted, because nobody (other than
Facebook apparently) can get a https certificate for an .onion hostname.

If I change it to https and accept the certificate, it all works fine.

Interestingly, it also works fine when using Tor Browser Bundle. Just not in
plain Firefox or Chromium.

[edit] In the TBB console: "Content Security Policy: Couldn't process unknown
directive 'upgrade-insecure-requests'" \- So presumably when TBB is upgraded
to use a newer version of Firefox at some point in future, TBB users will
start to see the same problem.

[edit2] Dropped the guy an email to let him know.

[edit3] Although the website is fetched over a hidden service, they still load
resources from lots of non-hidden services into the page, from the likes of
Facebook, Google, Twitter and so on. They state in the article:

"Our readers should never need to worry that somebody else is watching what
they’re doing on our site. So we made our site available as a Tor hidden
service to give readers a way to browse our site while leaving behind less of
a digital trail."

A _much_ better way to do this than implementing a Tor hidden service would be
to stop handing over visitor data to Google, Facebook, Twitter, Disqus, Reddit
and Linkedin.

------
ipsin
If you're using tor browser, what's the best way to discover .onion sites, and
(as important, to me), avoid coming across disturbing, unpleasant or illegal
material?

Anyone have curated directories of onion sites they'd like to plug?

~~~
unsignedint
I have been working on something like that -- currently mostly clear web sites
with hidden service alternatives, which makes it very few. (Thus, most
innocuous sites.)

[https://hidekisaito.com/features/hidden_service_directory/](https://hidekisaito.com/features/hidden_service_directory/)
[http://hideki24bd6yof6s.onion/features/hidden_service_direct...](http://hideki24bd6yof6s.onion/features/hidden_service_directory/)

Might expand into some hidden service exclusives, but it's problematic to
monitor those sites closely to make sure they don't change to contain
something bad.

~~~
mike-cardwell
Are these hidden services all provided by the organisations listed, or are
some of them run by third parties? It would be useful to have that information
on the page for each of them individually. It would also be useful to have
links to non-Tor pages where the organisations announce their onion link, so
people can verify.

~~~
unsignedint
They are operated by themselves. I would be reluctant to list ones run by
thid-party. And yes, where available I am trying (and middle of) collecting
those information as well.

