> What prevents a person from registering a new .onion site, such as > http://laobeqkdrj7bz9pq.onion and then relaying all its traffic to > http://3g2upl4pq6kufc4m.onion, and trying to get people to believe that > *they* are actually the duckduckgo .onion site?
Nothing. > When you see a link like http://3g2upl4pq6kufc4m.onion somewhere on the web > (such as thehiddenwiki.org) why would you believe it's the real URL that > duckduckgo created, and not somebody doing a MITM? Well, I'd query duckduckgo for its hidden service URL in the clearnet first. If you just search "duckduckgo hidden service" on their clearnet site, there's a magic/onebox answer with a link to the official onion site. ;-) The larger point is valid though. I feel like this is actually a huge problem with the current state of hidden services. Try figuring out which .onion site is the "real" Hidden Wiki for example. I'll admit I barely use hidden services for this very reason. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk