LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does a .onion address get created, and why can it never be faked?

The service generates a key pair; the public key is hashed to produce the 56-character .onion address, which is therefore a self-authenticating cryptographic proof of the private key.

A hidden service:

  1. Generates an Ed25519 key pair (private + public).
  2. Hashes the public key with SHA-3 → the unique 56-character .onion address.

This makes the address self-authenticating: the name is a cryptographic fingerprint of the public key, so only the holder of the matching private key can prove ownership. Consequences:

  • No DNS is involved — the address is the cryptographic identity.
  • Not forgeable — imitating an address would require the private key.
  • Self-authenticating — no Certificate Authority (CA) or TLS certificate is needed; the address vouches for itself.

Tip: On the normal web, a CA vouches that a name maps to a key. With .onion, the name is derived from the key, so no third party is needed.

Go deeper:

  • doc .onion (Wikipedia) — the key-derived, self-authenticating address scheme requiring no CA.

From Quiz: PRIVACY / Anonymous Surfing, Tor & Location Tracking | Updated: Jul 05, 2026