Consider tracking preferred protocol for onion addresses

[eloquence]

Currently we do not track whether a SecureDrop uses HTTP or HTTPS. Given that onion services have their own encryption layer, this is generally not a security concern, but see https://community.torproject.org/onion-services/advanced/https/ for the pros and cons of running onion services over HTTPS.

We could potentially set the protocol in cases where a SecureDrop is served over HTTPS. This would also allow the automated script that populates the onion name ruleset to use this protocol, instead of always using HTTP.

This appears to be mostly a content issue as the current validator only checks for the .onion suffix and will happily accept any protocol:

securedrop.org/directory/models/entry.py

Lines 103 to 107 in 6e6274d

	onion_address = models.CharField(
	'SecureDrop onion address',
	max_length=255,
	validators=[RegexValidator(regex=r'\.onion$', message="Enter a valid .onion address.")]
	)

The API, too, will return results with or without protocol, and the directory entries will show the protocol if it is included.

Advantages of tracking the protocol:

• We avoid an HTTP->HTTPS redirect when using an onion name or copy/pasting the address, which could mitigate against downgrade attacks by a very sophisticated attacker.

Disadvantages:

• If a news org switches to HTTPS and then stops using it, onion names will break (bug or feature?)

[eloquence]

There's some external interest in this as well, so bumping priority.

[eloquence]

We discussed this a bit today and agreed it'd be nice to have an "HTTPS preferred" property for onion services. That way, we can prefix the protocol where warranted, and also return that property in the API.