[Cryptography] Questions of taste on UDF presentation

Phillip Hallam-Baker phill at hallambaker.com
Sun Feb 17 11:22:01 EST 2019 

On Sun, Feb 17, 2019 at 9:55 AM Jonathan Thornburg <jthorn4242 at gmail.com>
wrote:

> On Sat, Feb 16, 2019 at 02:48:23PM -0500, Phillip Hallam-Baker wrote:
> > So lets imagine we are on a business trip. We stay at a Hilton, we get
> > a drink at Starbucks, etc. and when we get home we have a pile of
> > receipts that we have to remember to turn in.
> >
> >
> > What if each of those receipts had a QR code that linked to an
> > encrypted version of the receipt? What if we didn't need any PKI or
> > even public key to decrypt it? What if [[...]]
>
> Using this requires that I (a potential user) scan lots of QR codes.
> In the real world, that's not a very prudent thing to do:
> * What if one of these QR codes pwns my phone?
>

Stop using C/C++, use Java, C# or any modern language that has array bounds
checking built in and 99% of the current attack vectors are shut
immediately.


> * What if one of these QR codes signs me up for even more spam?
>

I am actually looking at QR codes as a means of secure credential/contact
exchange.

Spam is of two types, there is the criminal unsolicited spam that is 99%
and is possible because SMTP email is not access controlled by default.
Then there is the ordinary junk mail problem. Conflating these two problems
is like conflating insults with a knife attack.

It is actually useful to have credential exchange via QR code because it
provides a means of authenticating credentials in-person. Sure Starbucks
could spam you. But if all their emails are authenticated, you have no
difficulty sending them to the bit bucket if you do.


> * What if one of these QR codes takes me to a nasty website while
>   I'm in a country with a "one strike" law?
>

Tough titty. If you choose to live in a fascist state, I am NOT going to
design my systems so as to protect you from your moronic police force.

QR codes are widely used today by billions.


> The basic problem is that there's no easy way to tell what a QR code
> is going to do without doing "it".  And trusting a random crumpled
> receipt that says "Starbucks" and has the Starbucks logo on it,
> doesn't seem a lot safer than trusting a random website that says
> "Starbucks" and has the Starbucks logo on it.
>

Why would you do that though?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190217/58ac6cb1/attachment.html>

More information about the cryptography mailing list