Passkeys are just sparkling TLS client certs

faoluin@chitter.xyz

@xssfox With landlords

yaakov@cloudisland.nz

@xssfox I thought sparkling Smart Cards

rileywd@mastodon.social

@xssfox worse, since their cryptographic auth is one-time, exchanged for a long-lived stealable cookie

avincentinspace@furry.engineer

@xssfox shutup shut up SHUT UP SHUT

/lh

xssfox@cloudisland.nz

I love how this annoys or clicks with people in different ways

hellbeast@pleroma.envs.net

@xssfox at least there's no PKI attached to them (I THINK?????????)

ei3jdb@mastodon.radio

@jpm @xssfox Lotus Notes is usable? That's not what I remember

erikvanstraten@todon.nl

@xssfox : no they're not.

IIRC client certs are bound to the TLS channel, while passkeys are bound to the domain name.

Passkeys do not protect against DNS domain takeovers or BGP hijacks (where a malicious website hijacks the domain name and obtains a valid https website certificate).

OTOH if your browser has a TLS connection to a MitM proxy such as Cloudflare or Fastly, you're dead in the water anyway.

#TLS #MitM #AitM #Passkeys

isithran@social.lkw.tf

@yaakov @xssfox this, with the notable limitation that private keys are now device bound

yaakov@cloudisland.nz

@isithran @xssfox not quite, they can be synced^ and transferred*