[Cryptography] Verisimilitrust

Arnold Reinhold agr at me.com
Mon Jan 18 09:14:35 EST 2016 

> On Jan 16, 2016, at 11:51 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> 
> On Sat, Jan 16, 2016 at 7:18 PM, Arnold Reinhold <agr at me.com> wrote:
>> On Wed, 13 Jan 2016 15:32 Ray Dillinger asked:
>> 
>>> And what requirements does it have beyond or different from the X.509 PKI?
>>> 
>>> In short, where is the new work that we still need to do?
>>> 
>> 
>> Top of my list would be a standard way to get or verify certificates via
>> QR-codes. Consumers are already familiar with them. Coupled with certificate
>> pinning, this would allow the whole CA mess to be bypassed in many important
>> cases, such as banking, health care and email. Most people have periodic
>> out-of-band contact with their banks, visiting offices, ATM machine kiosks, or
>> getting written statements. Health care usually entails in-person contact.
>> Scanning a QRcode on the wall or in the printed statement letterhead would
>> allow a direct establishment of trust. Email trust could be established when
>> exchanging business cards at first contact, and so on.  Banks and others might
>> even get into the business of verifying certificates for business and
>> individuals that have accounts with them, perhaps for a fee.
> 
> QR-codes in corporate and branch offices would probably be fine, but
> anywhere else, I think they are risky in some places as humans cannot
> readily distinguish the meaning of a QR code. So in the case of a QR
> code printed on company letterhead, what's to prevent a phisher to
> send a fake mailing with *their* QR code. Sure, there's the mailing
> cost, but is that enough to make things like this not profitable for
> phishers?

It’s far more expensive than a flood of phishing e-mails and it requires physical presence and activity in country that can lead to prosecution. And if QRcodes are on every mailing, the likelihood that a victim will select the phisher’s document to scan is small. 

> What about placing stickers of there QR codes over the company
> QR codes on ATM machines? That might work for a phisher.

Banks could use locked frames to display the QRcode in unattended locations. Also remember that ATMs are often under video surveillance and banks have an interest in prosecuting fraudsters. It might even be possible to display the QRcode on the ATM screen itself. I think there is enough screen resolution on newer ones  for a verification code at least. 

> 
> I know that various hacker lists have already discussed this as a possibility
> with substituting official QR codes on signage with ones that redirect
> users scanning them to URLs that will download malware, so this thought
> is not exactly new.

There will be some need for care in doing this, but direct verification of certificates from material supplied by the owner makes a lot more sense that indirect verification by any one of several hundred “trusted” third parties scattered across the globe.

Arnold Reinhold

More information about the cryptography mailing list