Quiz Entry - updated: 2026.07.05
How does a .onion address get created, and why can it never be faked?
The service generates a key pair; the public key is hashed to produce the 56-character .onion address, which is therefore a self-authenticating cryptographic proof of the private key.
A hidden service:
- Generates an Ed25519 key pair (private + public).
- Hashes the public key with SHA-3 → the unique 56-character
.onionaddress.
This makes the address self-authenticating: the name is a cryptographic fingerprint of the public key, so only the holder of the matching private key can prove ownership. Consequences:
- No DNS is involved — the address is the cryptographic identity.
- Not forgeable — imitating an address would require the private key.
- Self-authenticating — no Certificate Authority (CA) or TLS certificate is needed; the address vouches for itself.
Tip: On the normal web, a CA vouches that a name maps to a key. With .onion, the name is derived from the key, so no third party is needed.
Go deeper:
.onion (Wikipedia) — the key-derived, self-authenticating address scheme requiring no CA.