Why is a hidden service needed? If someone can access onion websites, they can access any site. All Propublica would need to do is make sure they don't block tor exit nodes (some CDNs like cloudlfare will).
I don't see what benefits there are of having a hidden service if you don't need to hide. The only thing would be encouraging/enforcing safe usage, but that doesn't enable anything, only forces people to use security that was already available.
(To be clear, I'm only talking about hidden services, not tor in general.)
>If the anonymous user connects to a part of ProPublica that isn’t SSL-encrypted—most of the site runs SSL, but not yet every page—then the malicious relay could read what the user is viewing.
So using a hidden service was easier to set up than enforcing SSL on every page?
>Or even on SSL-encrypted pages, the exit node could simply see that the user was visiting ProPublica. When a Tor user visits ProPublica’s Tor hidden service, by contrast—and the hidden service can only be accessed when the visitor runs Tor—the traffic stays under the cloak of Tor’s anonymity all the way to ProPublica’s server.
The exit node sees that someone visited Propublica, not who, or what was fetched. (Assuming it's over SSL.) That really doesn't seem like sensitive information.
I don't see what benefits there are of having a hidden service if you don't need to hide. The only thing would be encouraging/enforcing safe usage, but that doesn't enable anything, only forces people to use security that was already available.
(To be clear, I'm only talking about hidden services, not tor in general.)