.onion websites on http and not on https

There are some .onion websites which are still on http and https everywhere does not help. Just want to understand is the exit node seeing this website being visited by a user or can they see the sensitive information like username/password etc.? How hard is it for an adversary to get this info via the exit node and can they track a user through this? I am presuming that the relays won’t be able to see anything.

If I understand correctly, .onion websites do not use exit nodes.
Also, such connections are encrypted (even without https), so only .onion site owner can decrypt them.

2 Likes

Thank you. Last question, is encryption the reason that they haven’t made https mandatory for .onion websites?

Yes.
I have found explanation about this topic here: