This post will focus primarily on sites on the Tor and I2P anonymity darknets, which follow a client-server model.

Dark web sites should not use HTTPS.

The darknet takes care of server authentication and end-to-end (client-to-server) encryption. Sites are identified by their public key, rather than cryptography being an afterthought. This allows site owners to actually own their domains, rather than renting them from domain registrars in the traditional centralized ICANN system.

Despite this, some onion sites use TLS certificates, either from their clearnet (ICANN) mirror or issues by a certificate authority that will deal with .onion domains. At best, this adds unnecessary dependency on the CA system (and theoretically an additional point of failure if the CA revokes the certificate), and it often (when the certificate is for the clearnet domain) requires users to add security exceptions to use the site in their browser, due to the invalid domain of the cert.

Dark web sites should never require JavaScript!

What are you even doing? Stop that!

Eepsites should be canonically referenced by their b32 addresses.

Tor .onion addresses are hard to remember (particularly the longer v3 addresses because they contain the entire public key, rather than half a hash like the v2 addresses).

I2P has the same problem, but it has a solution: the address book. You can map the long (b32) addresses to shorter strings. For example, the official I2P project page can be found at udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p ...or you can map that long string to just i2p-projekt.i2p. Now, when you want to go to the I2P project page, you can just type "i2p-projekt.i2p" into your browser's URL bar, and your I2P software will consult its address book, find the actual destination information, and use that to take you to the site. You don't have to worry about it anymore!

This is obviously very convenient. The problem is, if you see a short address, and you don't know the long version, how do you find out how to get there? Well, you use a jump service! And oh look, just like that, we've reintroduced dependency on (a small number of) third-party services for DNS records.

My issue isn't with the jump services themselves. They're useful for finding sites, and it makes sense to have a place where people can publish meta information about their eepsites. My issue is with people referring to eepsites only by their short addresses, which are useless without a lookup service. Eepsites should be canonically referenced by their b32 addresses, optionally with a shorter address provided as an alias, should the user want it. ("udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p which you can think of as i2p-projekt.i2p if you'd like") Helper links are great for this, but the b32 address should always be given as the default, "official" address for the site. When you link to other sites, make sure to give them the actual address. Just telling someone who doesn't know Alice that the party is "at Alice's house" isn't helpful. Tell them Alice's address.

Some eepsites even seem to hard redirect to the short form address, meaning if you don't add that short address to your address book, you can't visit the site, even if you type in the b32 address.

Dark web sites should not request clearnet resources.

They can link to clearnet sites, but they shouldn't, for example, use a clearnet CDN to serve images. DuckDuckGo is an example offender. 3g2upl4pq6kufc4m.onion (DuckDuckGo's onion site) fetches favicons for listed results from external-content.duckduckgo.com. What's the point of using an onion site if you're still fetching content from DuckDuckGo over the clearnet on it?

Related...

Dark web mirror sites should not make it easy to accidentally travel to the clearnet version of the page.

Here are some examples...

• protonirockerxow.onion allows users to access their existing ProtonMail accounts as a Tor onion service. It is only the actual "login and check your mail" part of the site. If you try to, for example, create an account, it redirects you to the clearnet sign-up page.


• blockchainbdgpzk.onion (which may or may not be now-defunct) was an onion mirror of the Bitcoin block explorer blockchain.info. When blockchain.info rebranded as blockchain.com, the page blockchain.info became a redirect to blockchain.com/explorer. Likewise, the onion site blockchainbdgpzk.onion started redirecting to the clearnet site blockchain.com/explorer.


• There was a site which had both an onion address and a clearnet address and listed lots of links to other pages on the site. Some of these links were written simply as paths, so that if you were on the .onion site, you would stay on the .onion site, and if you were on the clearnet site, you would stay on the clearnet site. Some of them were written specifically with the clearnet site's domain, so that if you clicked them, you would always go to the clearnet site.