> I'm not sure if this is generally considered acceptable within the Tor network
Tor is already encrypted, that’s why you don’t need TLS. Some services (Like the hidden service from Facebook back in the days) have https but that was more of a vanity from what I remember.
> have https but that was more of a vanity from what I remember
It has a functional difference as well, lots of new client-side features (like webcrypto) only work on "Secure Origins" which .onion isn't, but websites behind TLS are. So if you wanna deploy say something that encrypts/decrypts something client-side on .onion, you unfortunately need TLS today otherwise the APIs aren't available.
Of course browsers could fix this, but I don't think they have any incentives to do so. I guess Tor Browser could in fact fix this, and maybe they already do, but it'd be a patch on top of Firefox I think, something they probably want to do less off, not more.
My understanding is Tor Browser already treats .onion as a secure origin, could anyone confirm?
That only helps so much, some things still won't work if the browser thinks you're talking over an unencrypted connection, like HTTP/2. Technically HTTP/2 allows unencrypted connections (h2c) but as far as I know, no browser implements it (including Tor Browser) and server support is also somewhat limited, so Tor Browser is limited to HTTP/1.[01] on Onion sites unless they have a TLS certificate.
Yes it does but you can use Tor with other browsers too so it can make sense if you want to support them.
I wouldn't recommend using Tor with anything other than Tor browser because there are so many browser features that will expose you now. If you don't need the Tor browser protections, you probably don't need Tor either.
Fair point but using Tor even if you don't need it, just to put more legit traffic noise in the network is a valid use case.
Given the actual correlations attacks governments have done on Tor traffic, I don't think more traffic moves the needle in any appreciable way. Ultimately the Tor architecture is very vulnerable to timing and correlation attacks (never use something like IRC over Tor), and the kinds of changes that would be needed to mitigate those would probably slow it down past the point of usability.
One could argue, given the limited bandwidth of the Tor network, that by using it when you don't need it, you make the experience for those that do need it worse (looking at you everyone who tries to torrent over tor).
Back when EV certificates were widely supported by browsers, HTTPS was a great way of cryptographically associating a .onion service with a real legal entity, for sites like Facebook which didn't care about being anonymous.
Proton also uses HTTPS for their onion site, and they used the same certificate provider as Facebook did for theirs, Digicert, per this page:
https://proton.me/blog/tor-encrypted-email
In the above blog post, they seem to imply that they made HTTPS mandatory for Proton Mail over Tor for security reasons.
The best is to refer to official Tor project documentation for .onion over https: https://community.torproject.org/onion-services/advanced/htt...
tl;dr: Pressure from browsers, enterprise, and the overall ecosystem to use HTTPS (e.g., unavailability of advanced web features without HTTPS) is pushing for the use of HTTPS without exception, even for .onion sites with no significant technical advantage.
Tor browser doesn't warn on http though and I feel like 90% of folks use it exclusively.
Without https can't the last relay snoop the traffic?
edit: oh, is the last relay the onion service? So the entire chain is encrypted?
The key used to encrypt traffic is in the URL, everything including path is encrypted from client to the onion service end. What you are saying is true for non-onion HTTP sites, not for onions.
side note: there is a built in flag mechanism called BadExit for Tor that if a relay or exit is detected to be malicious, it is quickly removed from being used.