I set up a .onion hidden service site for our business years ago.

Originally, it was a v2 onion - the older, defunct, but shorter, domains - and now it is a v3 domain, dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.

Catchy.

If you use Tor Browser, and you visit decoded.legal, you should get redirected automatically.

Browsers and sites without https

Normally, if you visit a site without http, in a modern browser, you get a warning:

I’m not a huge fan of the padlock, but a warning that the connection is unencrypted is sensible.

.onion and https

With .onion / hidden services, it is slightly different. You can have https on a .onion site, but, because of the encryption within the .onion system itself, it is not essential.

I have not looked into it recently, but getting a TLS certificate for a .onion domain used to be tricky - there were not many vendors willing to offer a certificate for .onion sites - and relatively expensive.

So, for now, our .onion service does not use TLS. It is just http://dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion

Update: wow, it has got a lot easier and cheaper! £30ish / year. I’m going to give it a try.

Tor Browser without https

If you visit the site in Tor Browser, it shows that it is a .onion site:

I like this. It is not the same as a site with TLS, or without TLS, and clearly shows it is an onion site.

Brave’s Tor mode without https

If you visit the site in Brave’s Tor mode, it does not show that it is a .onion site. Instead, it shows the normal “insecure” warning:

I can understand why Brave shows this, because that is what it shows for any site which does not use https.

But saying “not secure” feels a bit misleading in the context of a .onion site, which does offer an encrypted connection.

Brave was very responsive when I suggested changes before, so perhaps I should put in a feature request / bug report (not sure which).

Or perhaps I should just get a TLS cert for it.