[quote=“Ego, post:2, topic:2060, full:true”]
the exit node can, of course, only read unencrypted content, meaning hidden service connections are “hard to not readable”. [/quote]
Just a quick clarification, it is impossible for exit nodes to read any traffic going to hidden services because they are not involved at all. Exit nodes provide a means to “exit” the Tor network and access clearnet sites. You don’t need to leave the Tor network to access hidden services. The last hop just thinks it’s routing traffic to another Tor relay. Is the connection to Tor hidden services encrypted?
Famous example of exit nodes sniffing credentials was Blockchain.info. They have an .onion address as well as https, both of which are “safe” to use. The problem occurred when Tor users accessed the site using http, giving exit nodes a chance to steal info. Blockchain.info now requires Tor users to access the site using the .onion address only.
If you must pass sensitive info over http (really, really bad idea), then your suggestion is one option. Of course, that requires finding a trustworthy VPN. If you’re able to acquire a VPS anonymously, you could host your own VPN and eliminate the trust factor. (Even better if the VPS uses a shared IP.)
The obvious follow-up question is, “Why do some .onion sites use https?” Tor Project’s Roger Dingledine’s thoughts: Facebook, hidden services, and https certs