It depends. Specifically, it depends on the type of data you are accessing and your threat model.
What protection does HTTPS provide with Tor?
Here is a breakdown of some potential adversaries at the information available to them at each point. You will note that HTTPS only provides protection in the final step of the connection (between the exit node of the Tor circuit and the destination server):
- Your Home Network and ISP: Tor provides strong encryption within the network. Potential adversaries on your home network or at your ISP can see that you are using Tor, but they cannot see the websites you are visiting.
- The Tor Network: The traffic within the Tor network has multiple layers of encryption such that only the last node (the exit node) in your Tor circuit can see the traffic you send to the destination.
- The Exit Node: At this point, the traffic exits Tor; it can be monitored by the Tor node itself or that node's ISP. This is where HTTPS becomes important as it will prevent snooping on the data contained in your transaction (passwords, the specific pages you visit, etc.).
There is an excellent interactive diagram that summarizes the above. The diagram allows you to enable both Tor and HTTPS to see what information can be hidden from different adversaries.
Do I always need HTTPS?
The short answer is: no, but you should use it if possible. HTTPS provides additional protection for the data transferred between the exit node and the destination server. It depends on the data you are sending or accessing and who you want to prevent from seeing that data.
For example, if you are reading a news website without HTTPS, it becomes possible for the Tor exit node and their ISP to see that someone is reading a specific article on a specific news website. However, they will not know who you are. If you add in HTTPS, they can see the name of the news website you are visiting, but not the specific page you are visiting.
So, if HTTPS is not available on some websites, the exposure is still limited. But, if you want to send information like usernames, passwords, or other identifying information, be sure to use HTTPS.
Does HTTPS provide other protection?
Yes. There is one more point that needs to be addressed: HTTPS provides protection against malicious page modification.
When you connect to a website over an unencrypted connection, it is possible for the exit node, the exit node's ISP, or some government agencies with the necessary access to modify the traffic in transit. This could allow them to inject other content into the page including advertising or browser exploits. They could also change the content of the page itself (plant fake news stories, etc.).
Using HTTPS makes this attack much more difficult as it requires performing a man in the middle attack on your connection. Also, when these types of attacks are performed, they are much more likely to be noticed.
What about hidden services (onion websites)?
The traffic to these services is automatically encrypted by Tor. In fact, the name of the service itself (the .onion address) serves an important role in establishing the encrypted connection.
However, some hidden services do use HTTPS. Facebook is one example of this. They use the SSL certificate to provide evidence that you are connecting to legitimate Facebook servers, not an impostor website.
Is additional protection available?
There are a few browser add-ons that can be installed.
The Tor Browser Bundle already includes:
- HTTPS Everywhere automatically enables HTTPS when the destination website is on a list of websites that are known to support encryption.
- NoScript allows you to disable JavaScript, which can provide additional protection against injected JavaScript.
There are some other choices that an advanced user might want to enable as well. However, adding these to the Tor Browser Bundle might make you more unique compared to other Tor users, so only install these if you know what you are doing:
- Request Policy provides additional protection against attacks that insert iframes or other remote content into your connection.
The last line of defense is human vigilance. Be observant about anything suspicious. You never know what dangers might be lurking in the shadows.