Cool blogpost. People that enjoyed this might also like to take a look at "The Architecture of Open Source Applications" http://aosabook.org/en/index.html.
Remember that Tor anonymizes the origin of your traffic, and it encrypts everything inside the Tor network, but it can't encrypt your traffic between the Tor network and its final destination. If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication.
It would also be useful to point out limitations and vulnerabilities. Tor browser has no protection against malware that hits the Internet directly, bypassing Tor circuits. But Tor Project does not prominently warn users about that on its website. While Tor Project does acknowledge Tor's vulnerability to global adversaries, there's also no prominent warning about that. If you run Tor in a terminal, you see "This is experimental software. Do not rely on it for strong anonymity." But how many users will ever see that warning?
The first thing you see in Tor Browser is a tab explaining that you got properly connected to Tor, but that Tor in itself is not a complete solution to online privacy and suggests you follow a link to an informative document written by the Tor Project.
When I see articles about security related topics I immediately expect them to be served over HTTPS and get frustrated when they are not.
It makes me think if HN should perhaps make a stand and either display some sort of lock icon next to secure links or make it harder for insecure links to show in the front page. Where is the right place to discuss this?
Why do you need https for text only page? Sure, somebody could do deep packet inspection, but they would not find anything they couldn't find going to the domain (that won't be hidden by https anyway) directly.
EDIT: previously incorrectly stated 'url' instead of 'domain'.
There are several reasons you want this, relating to security, privacy and “politics” (in the wider sense).
Regarding security, using HTTPS (along with the right measures on externally-hosted content) guarantees (to some extend) that what the users gets is what you meant to publish: an hostile network cannot replace the content with misinformation and cannot inject JS -- to exploit the client or not (as was done with the “Great Cannon” [0] which took down Github).
Privacy-wise, a number of countries routinely spy on their communication infrastructure, and revealing “I visited this website” is far more problematic than “I visited this Tor-related post on this website, and left this comment”.
The last reason for systematic HTTPS is “political”: if we go towards a situation where HTTPS is systematically employed, HTTP-only website will be subjected to increasing amounts of social pressure as adoption rates grow: deploying HTTPS (and preferably best-practices) on your “text-only” website pushes other websites (that might “need” it more) to deploy it too.
I don't know what is on a page until I visit it, so to make a stand myself in favor of a less insecure internet, I use HTTPS Everywhere in strict mode, which blocks HTTP. I have found that mostly I can live with it, and wish for the community (HN audience is a good part of it) to keep pushing (through a bit of pressure perhaps) towards an HTTPS only internet.
The problem with this is that it makes it very difficult to do network/isp level caching, this is especially problematic in areas where internet connectivity is slow, expensive, and limited.
Given that this is a Tor article, let's talk about it. Tor exit nodes are a super easy place to perform snooping and injection on non-encrypted requests passing through that boundary. This has been used for simple snooping as well as demonstrated cache poisoning attacks that let the snooper inject JS into later https site requests like banks to exfiltrate passwords.
That's one possibility -- to misinform or give incorrect instructions. This may be more of a risk with this type of content than your run-of-the-mill personal blog.
A more frequent one is injection of ads or tracking scripts, or 'web accelerators' that recompress images. Certain ISPs have been known to do these.
Spy on our country's citizens with deep packet inspection and put anyone on a list that reads anything related to Tor. With HTTPS, the visit of this website would seem 'innocent'.
http://jordan-wright.com/blog/2015/02/28/how-tor-works-part-...
http://jordan-wright.com/blog/2015/05/09/how-tor-works-part-...
http://jordan-wright.com/blog/2015/05/14/how-tor-works-part-...