[Cryptography] distributing fingerprints etc. via QR codes etc.

Jerry Leichter leichter at lrw.com
Sat Sep 13 19:09:28 EDT 2014 

On Sep 13, 2014, at 2:46 PM, Dave Horsfall <dave at horsfall.org> wrote:
>> If QR codes were truly "just a glob of data" which could not trigger any 
>> automatic action, I might be willing to scan one.  But unfortunately 
>> they trod the same path as e-mail, but before they were even released:  
>> From just a blob of data that couldn't harm you to something 
>> "convenient" - but laden with all kinds of hidden semantics that can not 
>> just deliver, but even execute, attack code on your system.
> 
> Err, for the benefit of this netizen and others, what are these semantics?
> 
> I've just installed a QR reader on my MacBook (and I hate seeing myself 
> when the camera is engaged), and also upon my Android phone.
> 
> Should I be worried?  And I don't mean by seeing myself in the morning...
A QR image can contain a URL.  Common software scanning such a QR image will pass the URL to the default browser, which will typically open it.  I don't know - never had any reason to experiment - whether non-HTTP URL's also get passed to their registered handlers, though I suspect at least some QR-reading software will do that.

> -- Dave, a happy PINE/ALPINE user for many many years
I used PINE for years - even had some custom patches to it that the developers refused to accept, so I kept them going for years.  (For example:  Open-ended ranges.)  All my co-workers kept laughing at me for being a troglodyte and not using the modern mail reader they used - Outlook.  I, in turn, laughed as their systems kept having to be cleaned of the virus du jour, probably snuck in via some attachment.  (This is back in Win2K days.)

Then I bought a Mac and after a while started using Mail.app.  (Officially you weren't allowed to use those on the corporate network; unofficially ... well, let's just say the corporate CTO was an early convert.)  The same people wondered why I now switched.  I answered that I was willing to use a new technology if it was actually *better*.  :-)
                                                        -- Jerry

More information about the cryptography mailing list