If you're wondering, "Wait, WebAuthn mitigates phishing?" there's a very good explainer about this topic from the same blog that Reddit thread is about:

https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/#anti-phishing-protections

@soatok : UTTER BS.

The picture you copied DOES NOT mitigate AitM's.

The article (https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/#anti-phishing-protections) is right b.t.w.

#Passkeys #AitMmadeMuchHarder #CryptographyBS

How it works:

In case of https://fake-bank.com instead of https://bank.com (where you have a passkey for):

1️⃣ In your browser you open https://fake-bank.com
2️⃣ Your browser asks your passkey manager: do you have one or more passkeys for https://fake-bank.com?
3️⃣ The passkey manager replies: no

NO ASYMMETRIC CRYPTOGRAPHY RELATED TO PASSKEYS INVOLVED

🚨 When things get complicated (very rare cases)

1️⃣ Phishing mail: check your GMail account at https://sites.google.com/niceguy which you open in your browser
2️⃣ The site asks you to log in using your google account
3️⃣ Since you have a passkey for https://google.com, your passkey manager will sign the request using your passkey's private key. The signed data will include the full domain name: https://sites.google.com
4️⃣ Google is aware of this risk (see https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580) which is why it does not let you log in.

🚨 When things get complicated AND FAIL

🔴 A hijacked domain name gets a certificate (this: https://www.bleepingcomputer.com/news/security/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/ won't protect you). This will not prevent a passkey-login (if the fake site acts as AitM).

🔴 Subdomain hijacking where the main domain does NOT check the full DN in the signed data.

@soatok

#passkeys #CryptoBS

@ErikvanStraten @soatok
Soooo.. if the domain is hijacked and set up to appear identical, people's password managers wouldn't know the difference. Same with passkeys. Same with the people manually entering credentials.

That's not a problem with passkeys here, domain hijacking is out of scope.

@cendyne : fuck scope.

People get promised security when using passkeys. Let's Encrypt and other DV CSP's keep issuing certs to fake and plain criminal websites.

The chain is what matters, not your limited view on "scope".

@soatok

@cendyne : DNS (record) and BGP hijacks *DO* happen.

Why are they out of scope for Joe AverageUser?

@soatok

@cendyne : https certs are in the chain of trust.

If they are issued to the wrong sites, passkeys fail.

Note that I will NOT login to my bank (using a passkey or whatever) if it suddenly has a junk LE DV cert (soon valid for 45 days without OCSP), because I expect a decent certificate.

Why don't passkeys enforce AT LEAST an OV (Organization Validated) certificate?

@soatok

#BigTechisEvil #LetsEncryptIsEvil #GoogleIsEvil

@ErikvanStraten @soatok Not everyone can afford an OV certificate.

Passkeys don't include any certificate info about the origin to the authenticator, just the textual name of the origin. I do think there's some merit in the idea of having some additional bindings for settings where additional properties are included -- like the organization in the certificate.

Though, that won't stop things when it comes to a rogue CA (rare) or a stolen certificate (more common).