You must log in or register to comment.
How would you make an arbitrary QR code have a verifiable signature?
If you’re running a public service, you should have a key that’s trusted by a CA anyway. So why couldn’t you, especially for qr codes that link to an https site, embed a signature in that qr code that verifies that the person that owns parkyourcar.com’s private key also created the code you just scanned? Just like signed pdfs?
Okay and what happens when I overwrite that qr code with one that points to downloadvirus.com? How is a client supposed to know that the qr code isn’t supposed to be here?
Well, because it won’t be signed by a trusted CA for that task. Like if CAs had a category of certificate issuance that applied here (the standardisation issue) then it would be easy to spot a fake (which wouldn’t be correctly signed). Alternatively, you could take the European approach of having everything government related (like public street parking, though Europe mostly uses apps for that, not signed QR codes) rely on government entities and those in turn on a national set of government CAs.
Very cool. Why would anyone use qr codes then? When you can just write a url and that’s free
QR codes are mostly meant to let you get an amount of info (they’re mostly text-based) without having to type or enter it manually when you might make mistakes or when the process is just faster for the amount of text involved.
I can see a system where you have to scan the QR code in a specific app for that purpose (e.g. a dedicated QR code payment app which approved businesses sign up to, which either includes or remotely queries a database of valid endpoints). At that point though, where you’re requiring a dedicated app anyway, you may as well invent your own 2D code system with blackjack, hookers and signing. But yeah, I don’t understand how this would work otherwise. QR codes just aren’t made for security. They shouldn’t be used anywhere security is required.
QR codes just aren’t made for security. They shouldn’t be used anywhere security is required.
I get what you’re saying but it’s at least a little bit funny that they are regularly used for security in the form of scan to login (e.g. Steam), verify your session (e.g. Matrix), etc. Of course these are in a closed ecosystem so the QR code itself is not the security. But I just found it funny you said that when 90% of my QR code usage is for security.
I mean, generating a one time QR code for login is one thing. It’s the equivalent of a one time password. But a permanent QR code is not that. They still aren’t inherently secure, but they can be used in situations where showing a code in plain text would be just as secure.
no, please dont give more leverage for these people to put more invasive apps on my phone
Well, by using a QR code you don’t have to invent your own 2D system, as blackjack and hookers aren’t really necessary.
Just make your own URI protocol, and encode any signature in the link. Bonus if you can register your protocol in Android or IOS, but I don’t know if this is possible.
Apps an indeed register URL schemes with their domain or chosen protocols to open by default on Android.
Just pay a public CA everytime you make one /s
You pay CAs for certificate issuance, not for signing. You could sign all the QR codes in a city with a single CA-issued certificate as long as the standards for it were all accepted.
A verifiable signature could be created but the use of public keys lets malicious actors to sign using the same key
This seems to be a gross misunderstanding of public key cryptography. Public keys allow you to verify an existing signature is valid and made by the correct entity, but they absolutely don’t allow you to forge a signature: that’s actually what they are designed to prevent.
I remember thinking this years ago when I saw a QR code for paying for parking. I don’t want to buy a printer though, otherwise I would have printed one to link here.
gXcQ - link stays blue.
XcQ - no click for you.
Nice try.
What app is that?
Looks like Voyager
I just like his music
For some reason this didn’t really occur to me.
I don’t see QR codes as a potential attack vector… At least, I didn’t… Until now.
It’s weird because I’m usually the one pointing out issues with everyone else’s plans… I didn’t realize I still had blind spots on this. Oh well, I’m only human.
It’s not like the code will straight up send money somewhere the moment you scan it. Can they even do more than open an app or a website? The default scanner with my Pixel doesn’t even open it without first telling you where it’s going.
Find yourself a QR scanner that gives you a preview of what the code is before sending you to the open web.
I like this one, found it on F-droid. “QR Scanner (PFA)” https://github.com/SecUSo/privacy-friendly-qr-scanner
For example, the QR code [email protected] posted (it can scan from a saved picture too) shows me this;
Wait, do normie phone, just, instantly open an untrusted website? The camera on LineageOS has a “scan” mode where it shows the data of scanned QR codes before you make an action.
An oldie but a goodie:
