@Tutanota well its not only about your IP protection, a country controlled certificate authority could be forced to forge a false https certificate, they can also be hacked to do this, search up the case of Diginotar and Iran as an example for this. And trick the user into thinking they connected securely. With an .onion, this is not possible. If the .onion is correct, the user can be assured that they connected to the right site, and the connection has not been tampered with.