> https://hstspreload.org/ offers the same benefits. You are guaranteed to be connected to what you expect - or not at all.
TLS/HSTS is still subject to CA attacks, e.g. diginotar.
CA/X.509 is a complex stack too.
> TLS mitigates attacks that can be executed by malicious exit nodes (or WiFi networks, or ISPs), that is the whole purpose of TLS.
A malicious exit node could refuse to serve some websites. This seems a minor risk though.
Reducing load on exit nodes is a technical benefit that's in that blog post.
Another benefit to using Tor onion services for large sites is that the Tor circuit ID can be used as an additional key in an IP rate limit cache. This helps block Tor bots (on the basis that establishing a Tor circuit is expensive).
>TLS/HSTS is still subject to CA attacks, e.g. diginotar.
Largely solved by Certificate Transparency. If you compromise a CA, you can issue certificates. However, you can't issue new certificates without broadcasting that fact to the whole world as browsers will not accept certificates without SCTs.
>Reducing load on exit nodes is a technical benefit that's in that blog post.
This hasn't been a real benefit for years. Exit nodes are running at something like 10% capacity.
>Another benefit to using Tor onion services for large sites is that the Tor circuit ID can be used as an additional key in an IP rate limit cache. This helps block Tor bots (on the basis that establishing a Tor circuit is expensive).
This is just another problem with hidden services. Opening circuits costs malicious clients far less cpu time than it costs the server.
TLS/HSTS is still subject to CA attacks, e.g. diginotar.
CA/X.509 is a complex stack too.
> TLS mitigates attacks that can be executed by malicious exit nodes (or WiFi networks, or ISPs), that is the whole purpose of TLS.
A malicious exit node could refuse to serve some websites. This seems a minor risk though.
Reducing load on exit nodes is a technical benefit that's in that blog post.
Another benefit to using Tor onion services for large sites is that the Tor circuit ID can be used as an additional key in an IP rate limit cache. This helps block Tor bots (on the basis that establishing a Tor circuit is expensive).