First off, sorry if it is not formatted correctly; I read on a “how to submit a bug report”-page that there should automatically be a template to fill in when the editor opens, but there’s not, so I’m probably doing something wrong, but I’ll try to keep it as clear and brief as possible:
When I open an onion address in a private tab with Tor, the brave URL bar tells me that the connection is “Not secure” if I don’t use HTTPS. This is utter nonsense, as I’ll explain:
HTTPS provides two security features:
- Traffic is encrypted between client and server
- URL is verified using a cryptographic certificate issued by a trusted authority
For Onion services, equivalent security features are provided natively without HTTPS;
- All traffic is encrypted between client and server (for onion services, traffic never passes an exit node to enter the clearnet, so there are “onion layers” of encryption all the way end-to-end)
- The onion-address/URL is itself the public key used to authenticate the service similarly to a TLS certificate.
There is nothing that is less secure in connecting to an onion address with HTTP compared to HTTPS, so this warning should be removed.
You can read more about why HTTPS isn’t really necessary for onion services, on Tor’s own site here.