<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> yes. the key detail here is that the PKI involved *includes the domain of the site* so phishing goes from &quot;mild difficulty if the user has a PTSD level of hypervigilance, easy if they&#39;re not really paying attention&quot; to &quot;physically impossible without local code execution or device theft&quot;. the differences are huge. the difference is big enough that the FTC has occasionally given it the force of law: <a href="https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://www.</span><span class="ellipsis">ftc.gov/policy/advocacy-resear</span><span class="invisible">ch/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems#_ftnref6</span></a></p>