A CA will not validate a '.onion' address since it's not an official TLD approved by ICANN. The numbers aren't random. From Wikipedia:
"16-character alpha-semi-numeric hashes which are automatically generated based on a public key <https://en.wikipedia.org/wiki/Public_key> when a hidden service <https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Hidden_services> is configured. These 16-character hashes can be made up of any letter of the alphabet, and decimal digits from 2 to 7, thus representing an 80-bit number in base32 <https://en.wikipedia.org/wiki/Base32>. It is possible to set up a human-readable .onion URL (e.g. starting with an organization name) by generating massive numbers of key pairs <https://en.wikipedia.org/wiki/Public-key_cryptography> (a computational process that can be parallelized <https://en.wikipedia.org/wiki/Parallelized>) until a sufficiently desirable URL is found."[2] <https://en.wikipedia.org/wiki/.onion#cite_note-scallion-2>[3] <https://en.wikipedia.org/wiki/.onion#cite_note-facebook_url-3>" Cheers, yodablue On Tue, Jan 26, 2016 at 1:32 PM lists.torproject.org [Masked] <FWD-737QLY3MGNAYSQFGAHIDLIAC2AJOAZ4BKBNCRYADXAICEWBKGA4GYNTQE4MCKZVAFMRQA3BHMAEPUEBAAAQA====@ opayq.com> wrote: > > --------------------------Blur (formerly > DoNotTrackMe)--------------------------- > > -------------------------By Abine-------------------------- > > > I'm new to tor, trying to understand some stuff. > > I understand the .onion TLD is not an officially recognized TLD, so it's > not > resolved by normal DNS servers. The FAQ seems to say that tor itself > resolves > these, not to an IP address, but to a hidden site somehow. > > When I look at thehiddenwiki.org, I see a bunch of .onion sites, with > random > looking names. Why is this? What if someone at thehiddenwiki.org > registered a > new .onion site (for example http://somerandomletters.onion), which then > relayed traffic to duck-duck-go (http://3g2upl4pq6kufc4m.onion)? > Thehiddenwiki could give me the link http://somerandomletters.org, and of > course I would never know the difference between that and > http://3g2upl4pq6kufc4m.onion > > Without trusting a CA to validate a site name, what prevents MITM attacks? > Am > I supposed to get the duckduckgo URL from a trusted friend of mine, and > then > always keep it? > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk