Brave, Tor, and http-only .onion sites

I set up a .onion hidden service site for our business years ago.

Originally, it was a v2 onion - the older, defunct, but shorter, domains - and now it is a v3 domain, dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion.


If you use Tor Browser, and you visit, you should get redirected automatically.

Browsers and sites without https

Normally, if you visit a site without http, in a modern browser, you get a warning:

Firefox accessing a site without TLS, showing a padlock with a red line through it

I’m not a huge fan of the padlock, but a warning that the connection is unencrypted is sensible.

.onion and https

With .onion / hidden services, it is slightly different. You can have https on a .onion site, but, because of the encryption within the .onion system itself, it is not essential.

I have not looked into it recently, but getting a TLS certificate for a .onion domain used to be tricky - there were not many vendors willing to offer a certificate for .onion sites - and relatively expensive.

So, for now, our .onion service does not use TLS. It is just http://dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion

Update: wow, it has got a lot easier and cheaper! £30ish / year. I’m going to give it a try.

Tor Browser without https

If you visit the site in Tor Browser, it shows that it is a .onion site:

Tor Browser showing a .onion service, with an onion icon next to the URL

I like this. It is not the same as a site with TLS, or without TLS, and clearly shows it is an onion site.

Brave’s Tor mode without https

If you visit the site in Brave’s Tor mode, it does not show that it is a .onion site. Instead, it shows the normal “insecure” warning:

Brave browser in Tor mode, showing a .onion service as “not secure”

I can understand why Brave shows this, because that is what it shows for any site which does not use https.

But saying “not secure” feels a bit misleading in the context of a .onion site, which does offer an encrypted connection.

Brave was very responsive when I suggested changes before, so perhaps I should put in a feature request / bug report (not sure which).

Or perhaps I should just get a TLS cert for it.