[Cryptography] distributing fingerprints etc. via QR codes etc.
Jerry Leichter
leichter at lrw.com
Sat Sep 13 19:09:28 EDT 2014
On Sep 13, 2014, at 2:46 PM, Dave Horsfall <dave at horsfall.org> wrote:
>> If QR codes were truly "just a glob of data" which could not trigger any
>> automatic action, I might be willing to scan one. But unfortunately
>> they trod the same path as e-mail, but before they were even released:
>> From just a blob of data that couldn't harm you to something
>> "convenient" - but laden with all kinds of hidden semantics that can not
>> just deliver, but even execute, attack code on your system.
>
> Err, for the benefit of this netizen and others, what are these semantics?
>
> I've just installed a QR reader on my MacBook (and I hate seeing myself
> when the camera is engaged), and also upon my Android phone.
>
> Should I be worried? And I don't mean by seeing myself in the morning...
A QR image can contain a URL. Common software scanning such a QR image will pass the URL to the default browser, which will typically open it. I don't know - never had any reason to experiment - whether non-HTTP URL's also get passed to their registered handlers, though I suspect at least some QR-reading software will do that.
> -- Dave, a happy PINE/ALPINE user for many many years
I used PINE for years - even had some custom patches to it that the developers refused to accept, so I kept them going for years. (For example: Open-ended ranges.) All my co-workers kept laughing at me for being a troglodyte and not using the modern mail reader they used - Outlook. I, in turn, laughed as their systems kept having to be cleaned of the virus du jour, probably snuck in via some attachment. (This is back in Win2K days.)
Then I bought a Mac and after a while started using Mail.app. (Officially you weren't allowed to use those on the corporate network; unofficially ... well, let's just say the corporate CTO was an early convert.) The same people wondered why I now switched. I answered that I was willing to use a new technology if it was actually *better*. :-)
-- Jerry
More information about the cryptography
mailing list