[Cryptography] distributing fingerprints etc. via QR codes etc.
Jerry Leichter
leichter at lrw.com
Fri Sep 12 20:03:58 EDT 2014
On Sep 12, 2014, at 4:21 PM, The Doctor <drwho at virtadpt.net> wrote:
>> I really wish I could just snag people's key (fingerprints) in QR
>> code form.
>
> Some of us already do that; I've had mine on my business cards for a
> couple of years now. Unfortunately, the two most common things heard
> are "What's that junk on your business card?" and "No way I'm scanning
> a strange QR code, you might be trying to pop my phone." Only one
> person in four years and change has taken it seriously and used it.
>
> QR codes work well, but the uptake of them as anything practical isn't
> where it needs to be yet.
QR codes don't work particularly well for much of anything. Their big selling point was - and is - that they can link directly to a web site. This allows all kinds of things in the real world to be connected to the on-line world - e.g., see an ad with an embedded QR code, go directly to the web site for the seller.
In a world of drive-by web attacks and continuous warnings (well founded or not) not to click on "unfamiliar" links ... the concern they raise is reasonable. Advertisers want a quick, no-effort path from the real-world QR code to a site that sells you something. Such a path is incompatible with security in today's world.
If QR codes were truly "just a glob of data" which could not trigger any automatic action, I might be willing to scan one. But unfortunately they trod the same path as e-mail, but before they were even released: From just a blob of data that couldn't harm you to something "convenient" - but laden with all kinds of hidden semantics that can not just deliver, but even execute, attack code on your system.
Yes, it's *possible* to create "safe" QR codes. And it's possible to send "safe" mail. It's also possible to run an email program that will ignore all the dangerous stuff - Alpine is still out there - and it's possible to run a QR reader that won't do anything dangerous. But the software most people have on their phones for this purpose is *not* safe - and what's important is not that it's possible to produce "safe" messages/QR codes, but that it's possible to produce "unsafe" ones.
-- Jerry
More information about the cryptography
mailing list