Oops, this was a mistake. I don't think most browsers have a way to restrict client certs to specific domains but since asymmetric cryptography is used, and the key agreement ensures no MITM, no phishing is possible. (They may ask for your cert but can't use that to authenticate with the correct host.)
Some platforms may have a way to remember a client certificate as a preference, but you can't really bind a certificate to only specific sites.
If you can find a way to abuse a valid authentication to one site in order to gain access to another site, that sounds like a very firmly valid security issue needing investigated.
kevincox|3 years ago
I've pushed a fix.
g_p|3 years ago
If you can find a way to abuse a valid authentication to one site in order to gain access to another site, that sounds like a very firmly valid security issue needing investigated.