Anonymity of the origin server is not at all a design goal of SSL/TLS: in fact, the whole point is to tie a web host to a particular identity. Originally it was supposed to be legal identity, but that is actually fairly useless, so now it's just a domain name.
For end-users TLS and Tor both provide privacy; since you don't need to identify yourself in order to use https. In fact, with ESNI and DoH the only thing anyone snooping wire traffic can see is that you're connecting to whatever data center is owned by the company hosting the website.
The sites in the original article are criminal enterprises, which means they have the unique problem of needing the origin server to remain anonymous so that their hosting provider can't find out what they are doing. This is the one thing Tor does that TLS doesn't; and they were deanonymized by them insisting on providing a self-signed cert anyway. However, this is a particularly unusual threat model that is far harder to maintain. Even the whole anticensorship thing is usually just hiding what sites you're visiting from, say, the Great Firewall - we don't care that China can also use Tor to learn where Google's servers are.
To make the browser show the little lock in the address bar, I suppose?
Granted, that's still kind of pointless because you still have to self-sign, which gives scarier warnings than being unencrypted[0].
A knowledgeable user wouldn't care - they'd know that they installed a Tor gateway that resolves .onion to itself, so they're just as protected as they are on TLS. The catch here is that the ransomware operators are trying to criminally extort less-knowledgeable users and bureaucratic IT staff that are just being told to "run Tor and pay us in Monero to get your files back".
[0] There's nothing preventing these operations from shipping their own browser or root cert - they are, after all, already running on the local machine outside of any sandboxing. No clue if they do this.
Many security-enhancing technologies have been used to deanonymise websites. For example, by checking the certificate transparency log (the thing that prevents any CA from generating a certificate for Google.com that doesn't get nuked in seconds) it's often possible to find certificates for servers hidden behind Cloudflare. Those certificates can in turn be found using the mechanisms described here, and DDoS protection may quickly be bypassed that way.
Generally, though, TLS is not designed with privacy of the server in mind. The data exchanged between the client and the server is kept private between the two parties, but that's it.
If you wish to anonymise your connection, technologies like Tor will help. You'll still have to pay attention though. In a great many cases, security and usability are polar opposites, and a balance must be struck to find a workable solution. In this case the best balance is probably in-depth knowledge of how web servers work combined with reading through the documentation of the Tor project.
Certificates enable privacy for the user - fundamentally, they are about proving the identity of the server, which is at least somewhat at odds with privacy of the server.
Anyway, these all seem like pretty obvious opsec fails where the darknet website is also served over the regular internet, which is just atrocious.
If you follow the best practices and do not bind your onion service on 0.0.0.0 and use selfsign and don't reuse key, they do provide privacy against snooping exit node.
>they do provide privacy against snooping exit node
onion services don't use exit nodes. Your client and the service build circuits to nominated middle relays so https only offers very marginal increases in privacy. However, you are right to assume than any exit node may (or probably is) monitored.
Since I never ran a hidden service I never challenged my assumptions that they connected to an exit node, but it make sense that an hidden service would be routed through a middle relay without going through an exit node.
This is not a big deal really. Getting an SSL cert only requires you provide proof of ownership of your domain and has no KYC. You can get as many certs as you want, or sign it yourself.
Right now, SSL(or PKI to be precise) is a very privacy respecting technology. For both the server and the client.
SSL may stop your roommate or isp but they provide another vector for linking to other entities.
I wonder how many are using this technique to link web properties together.