If you're wondering, "Wait, WebAuthn mitigates phishing?" there's a very good explainer about this topic from the same blog that Reddit thread is about:

https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/#anti-phishing-protections

@soatok : UTTER BS.

The picture you copied DOES NOT mitigate AitM's.

The article (https://blog.trailofbits.com/2025/05/14/the-cryptography-behind-passkeys/#anti-phishing-protections) is right b.t.w.

#Passkeys #AitMmadeMuchHarder #CryptographyBS

How it works:

In case of https://fake-bank.com instead of https://bank.com (where you have a passkey for):

1️⃣ In your browser you open https://fake-bank.com
2️⃣ Your browser asks your passkey manager: do you have one or more passkeys for https://fake-bank.com?
3️⃣ The passkey manager replies: no

NO ASYMMETRIC CRYPTOGRAPHY RELATED TO PASSKEYS INVOLVED

🚨 When things get complicated (very rare cases)

1️⃣ Phishing mail: check your GMail account at https://sites.google.com/niceguy which you open in your browser
2️⃣ The site asks you to log in using your google account
3️⃣ Since you have a passkey for https://google.com, your passkey manager will sign the request using your passkey's private key. The signed data will include the full domain name: https://sites.google.com
4️⃣ Google is aware of this risk (see https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580) which is why it does not let you log in.

🚨 When things get complicated AND FAIL

🔴 A hijacked domain name gets a certificate (this: https://www.bleepingcomputer.com/news/security/defi-exchange-dydx-v3-website-hacked-in-dns-hijack-attack/ won't protect you). This will not prevent a passkey-login (if the fake site acts as AitM).

🔴 Subdomain hijacking where the main domain does NOT check the full DN in the signed data.

@soatok

#passkeys #CryptoBS

@ErikvanStraten @soatok
Soooo.. if the domain is hijacked and set up to appear identical, people's password managers wouldn't know the difference. Same with passkeys. Same with the people manually entering credentials.

That's not a problem with passkeys here, domain hijacking is out of scope.

@cendyne : fuck scope.

People get promised security when using passkeys. Let's Encrypt and other DV CSP's keep issuing certs to fake and plain criminal websites.

The chain is what matters, not your limited view on "scope".

@soatok

@ErikvanStraten @cendyne @soatok In the scope you’re questioning, it’s worth noting that literally everything would fail.

Look, anybody that “promised security” has something to sell, so fuck that argument too.

You’re very angry that passkeys don’t close HTTPS cert-shaped holes. But neither do password managers or anything else in a browser. Maybe the right DNSSEC + Log Transparency system can in theory, but certainly nothing running on the client can. I just don’t understand it.

@ErikvanStraten @cendyne @soatok

Erik, it seems like your arguments always come down to “somebody promised me 100% safety and this only fixes problems A/B/C/D and leaves fake HTTPS certs on the table”.

I’m not saying it’s *ok* that it hasn’t been solved in this or any scope, I just think it’s a silly reason to avoid passkeys.

My advice: Set aside what “somebody” “promised” “you”.

How *can* we solve HTTPS cert problems?

@chazh :

100% security is impossible. But it's bad and it's getting worse.

Fix:

1️⃣ Immediately after setting up an https connection (before downloading content), EVERY browser should warn people if they've never visited the site (exact domain name) before, if ownership of the domain name changed or upon any other risky anomaly.

2️⃣ The warning should include as much as possible information about:
• the current owner of the domain name;
• if such info is available, the *reliability* of that info.

3️⃣ Depending on said info, the user is informed about the risks they take when deciding to "trust" the website and opening it (thereby adding it to their "visited before" list).

4️⃣ User education is very important, at the very least browsers should provide easy to understand tutorials.

5️⃣ The current (corrupt) CAB/forum needs to be replaced by an organizations with end-user participation.

Google in particular does not want that. They don't want internet users to be able to easily distinguish between authentic and junk websites. Scamsites are part of their business model.

@cendyne @soatok

#BigTechIsEvil #GoogleIsEvil #CloudflareIsEvil