Why is it better to provide a hidden service Web site with HTTP rather than HTTPS access?
Put simply, HTTPS access puts the connecting client at higher risk, because it bypasses any first-stage filtering proxy.. Generally, a person using a Tor client will access HTTP via a first-stage proxy such as Privoxy, which has the ability to filter both the browser’s request and the server’s response. However, for HTTPS access to function correctly, the connection must be direct from the browser to the server, to protect the encrypted SSL connection under the hood. Without the proxy forging the SSL encryption keys (causing the browser to pop up an invalid certificate warning box), there is then no way to filter things from the HTTPS connection before the server or browser sees it — potentially allowing the browser to send identifiable user information to the server, or the server to send an exploit for a browser bug back to the client. For more information, see Privoxy’s FAQ entry (4.15) on the subject. http://www.privoxy.org/faq/misc.html#AEN895 Since hidden service connections are
