Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What about certificates? The fake GitHub almost certainly does not have a valid certificate. Isn’t that our one defense against these things?


The problem that a certificate just assures us this is indeed https://githubverification.com/ which it is

This leaves a human to try to make deductions about whether githubverification.com is github.com which is something humans are terrible at, so game over.

If you have WebAuthn then your browser also takes responsibility for only letting you use your github.com credentials on github.com and not even bothering you with any other possibilities that you might think could be safe and are not. That's why WebAuthn prevents phishing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: