Evaluate Tor-based access to news sites

[conorsch]

Secure The News is not yet one year old, and to date we've seen strong adoption of HTTPS across a wide swath of news websites. We already have nearly 10 sites scored with A+—and 15 sites scored with A+ or A-.

Let's raise the bar a bit. For instance, ProPublica is one of the few news organizations to provide an Onion Service to browse their website: propub3r6espa33w.onion Hosting an Onion Service is hugely beneficial for reader privacy, and ProPublica gets no credit for such effort and innovation from Secure The News—arguably the authority on evaluating security of news websites.

Another problem is CAPTCHA walls, or JS browser validation checks. Cloudflare infamously provides a one-click solution for treating visitors connecting over Tor as second-class citizens. If two sites are ranked as A+ on their HTTPS deployments, but one CAPTCHAs Tor users and the other does not, our grading schema should to be updated to address the disparity.

I propose adding new attributes to site model, and writing additional scanning logic that's run over Tor. A few of the criteria we look at:

• Onion URL (have one y/n)
• Site loads fine over Tor
• Site forces CAPTCHA to Tor users
• Site requires JavaScript (will not work with high security To Browser settings)

The stem project may make scanning over Tor straightforward, since we already lean on pshtt heavily for the HTTP/S logic. Otherwise can simply proxy the requests over Tor via SOCKS5.

The goal of Secure The News is to enforce a modern and progressive rubric that promotes reader privacy and mitigates censorship opportunity from network attackers. Tor provides both criteria quite well—and with the advent of next-generation Onion Services on the horizon, it'll soon be even better—so let's start tracking it.