[Cryptography] Verisimilitrust

[Kevin W. Wall]

On Sat, Jan 16, 2016 at 7:18 PM, Arnold Reinhold <agr at me.com> wrote:
> On Wed, 13 Jan 2016 15:32 Ray Dillinger asked:
>
>> And what requirements does it have beyond or different from the X.509 PKI?
>>
>> In short, where is the new work that we still need to do?
>>
>
> Top of my list would be a standard way to get or verify certificates via
> QR-codes. Consumers are already familiar with them. Coupled with certificate
> pinning, this would allow the whole CA mess to be bypassed in many important
> cases, such as banking, health care and email. Most people have periodic
> out-of-band contact with their banks, visiting offices, ATM machine kiosks, or
> getting written statements. Health care usually entails in-person contact.
> Scanning a QRcode on the wall or in the printed statement letterhead would
> allow a direct establishment of trust. Email trust could be established when
> exchanging business cards at first contact, and so on.  Banks and others might
> even get into the business of verifying certificates for business and
> individuals that have accounts with them, perhaps for a fee.

QR-codes in corporate and branch offices would probably be fine, but
anywhere else, I think they are risky in some places as humans cannot
readily distinguish the meaning of a QR code. So in the case of a QR
code printed on company letterhead, what's to prevent a phisher to
send a fake mailing with *their* QR code. Sure, there's the mailing
cost, but is that enough to make things like this not profitable for
phishers? What about placing stickers of there QR codes over the company
QR codes on ATM machines? That might work for a phisher.

I know that various hacker lists have already discussed this as a possibility
with substituting official QR codes on signage with ones that redirect
users scanning them to URLs that will download malware, so this thought
is not exactly new.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.