[Cryptography] distributing fingerprints etc. via QR codes etc.

Jerry Leichter leichter at lrw.com
Fri Sep 12 20:03:58 EDT 2014


On Sep 12, 2014, at 4:21 PM, The Doctor <drwho at virtadpt.net> wrote:
>> I really wish I could just snag people's key (fingerprints) in QR
>> code form.
> 
> Some of us already do that; I've had mine on my business cards for a
> couple of years now.  Unfortunately, the two most common things heard
> are "What's that junk on your business card?" and "No way I'm scanning
> a strange QR code, you might be trying to pop my phone."  Only one
> person in four years and change has taken it seriously and used it.
> 
> QR codes work well, but the uptake of them as anything practical isn't
> where it needs to be yet.
QR codes don't work particularly well for much of anything.  Their big selling point was - and is - that they can link directly to a web site.  This allows all kinds of things in the real world to be connected to the on-line world - e.g., see an ad with an embedded QR code, go directly to the web site for the seller.

In a world of drive-by web attacks and continuous warnings (well founded or not) not to click on "unfamiliar" links ... the concern they raise is reasonable.  Advertisers want a quick, no-effort path from the real-world QR code to a site that sells you something.  Such a path is incompatible with security in today's world.

If QR codes were truly "just a glob of data" which could not trigger any automatic action, I might be willing to scan one.  But unfortunately they trod the same path as e-mail, but before they were even released:  From just a blob of data that couldn't harm you to something "convenient" - but laden with all kinds of hidden semantics that can not just deliver, but even execute, attack code on your system.

Yes, it's *possible* to create "safe" QR codes.  And it's possible to send "safe" mail.  It's also possible to run an email program that will ignore all the dangerous stuff - Alpine is still out there - and it's possible to run a QR reader that won't do anything dangerous.  But the software most people have on their phones for this purpose is *not* safe - and what's important is not that it's possible to produce "safe" messages/QR codes, but that it's possible to produce "unsafe" ones.  
                                                        -- Jerry



More information about the cryptography mailing list