Well, isn't it the point, that the user can confirm, with help from the browser, that DigiCert has verified that this .onion address is actually Facebook? Maybe you meant something different by "right."
Also, Facebook made a "vanity address" that is pretty memorable, facebookcorewwwi.onion [0]. So, someone else could brute-force a similar address and lure people to it, but presumably they wouldn't be able to get a trusted CA to issue a cert authenticating that they're "the same entity as the one operating facebook.com" (from the article -- I presume facebook.com is also named in the cert, which shouldn't happen unless the CA vetted it.)
Also, Facebook made a "vanity address" that is pretty memorable, facebookcorewwwi.onion [0]. So, someone else could brute-force a similar address and lure people to it, but presumably they wouldn't be able to get a trusted CA to issue a cert authenticating that they're "the same entity as the one operating facebook.com" (from the article -- I presume facebook.com is also named in the cert, which shouldn't happen unless the CA vetted it.)
[0] https://lists.torproject.org/pipermail/tor-talk/2014-October...