You should read the link, even though it is http. It would correct your understanding: z-library started with all the books from libgen, set up access controls and limits to incentivize uploading new books, garnered millions of new books, and didn't contribute them back.

Also, consider your risks more holistically:

* Honeypots can and do have valid https certificates, what matters is who controls the site (for example, when the FBI took over a kiddie porn site, it changed the site to deliver over https a zero-day exploit for Tor Browser that broke out of the browser sandbox and deanonymised the visitor) * Eavesdroppers can tell you visited a specific HTTPS site by looking at your TLS1.2 SNI in cleartext. Even if you're using TLS1.3 (which fixes that leak, but is currently up to the browser/site to negotiate), eavesdroppers can still correlate site access with your DNS requests. Even if you use DNS-over-HTTPS/TLS, you don't know if your DNS provider is in cahoots with the eavesdropper. You have to trust someone

Where your actual risks lie in visiting an HTTP-only site:

* If the site has forms/cookies, an eavesdropper can see them. In this case, https buys you nothing; your concern is that someone can tell if you visited this site once, not that they can tell you're a repeat visitor * Eavesdroppers can see any headers that your browser hands out (mainly user-agent) that could more granuarly identify you vs just your IP address * Active attackers with the ability to control your traffic can place anything they want on the website by spoofing its responses. With https they could only deny you access to the site

The benefits of HTTPS over HTTP are enormous, but you have to understand what its limits are. If you're concerned about web surveillance, you should be something like Tor Browser to visit websites, and understand that even it has limitations.

> Even if you use DNS-over-HTTPS/TLS, you don't know if your DNS provider is in cahoots with the eavesdropper. You have to trust someone

but in this case, couldn't you just use an offshore dns provider that's in a jurisdiction that won't cooperate with judicial system? (assuming here adversary is getting sued by copyright holder, not govt agency)

If making requests offshore is a panacea, use a VPN that proxies _all_ your traffic there. Then you needn't care if the website is HTTPS or HTTP

In the case of _this_ site, it has nothing a copyright holder could complain about, so it doesn't matter if you visit it. It says "We don't link to it from here, but just Google for 'Pirate Library Mirror'". Yup, why not tell Google what you're doing? Once you've done that, and visited the (also HTTP only) "Pirate Library Mirror" site, you'll find it doesn't have any .torrent files. But it does have a link to a .onion site available only in Tor Browser. And the onion site _does_ have .torrent files you can download and add it to your Bittorrent client and begin infringing copyrights.

The two HTTP sites involved have nothing that could get you legally into trouble, even if an eavesdropper saw _all_ your traffic. It's certainly good practise to make all sites HTTPS, but for these specific sites, it isn't a downside that they're HTTP-only. The only situation I can think where HTTPS vs HTTP would make a difference is quite unlikely: if an active attacker, able to modify your traffic, substituted a link to a different .onion site, with different .torrent files specifically for you

http content can also be modified in flight by your ISP/VPN/Starbucks wifi hotspot spoofer, you could easily change the links on the page to ones where you would end up downloading malware/spyware versions of the products

> Why the hell is this site not https? This looks like a honeypot to me

How does TLS vs No TLS weight in on your suspicious if something is a honeypot or not? It's as trivial for three-letter agencies/black hats to setup as for trusty individuals/corporations.

We're talking about seeding a library full of copyrighted content. The person who made this site couldn't take 2 seconds to set up HTTPS? They're either incompetent or part of a honeypot. In either case, it's best to steer clear

Keep in mind, the first post on this site was in 2022. 2022, and no https... is this some kind of joke?

And in this case the adversary isn't necessarily the three letters, it's the copyright holders and legal system. No https makes ISP logs even more useful

Again, how does no HTTPS makes it more likely to be a honeypot than not? Everything on that website is about being a "pirate archivist", they don't even need to know what page you visited, just that you visited the domain, so the SNI and Host header already gives it away, TLS or not.

> so the SNI and Host header already gives it away, TLS or not

Couldn't you just use ech/esni, ISP wouldn't see the domain only IP (and dns provider)?

We can't because nobody supports it. Only firefox has support for esni and it's behind an about:config

Z library extended the libgen collection (apparently without contributing back to it).

Also it requires a login to do anything with. Add another check mark on the Honeypot theory