Find yourself a QR scanner that gives you a preview of what the code is before sending you to the open web.
I like this one, found it on F-droid. “QR Scanner (PFA)” https://github.com/SecUSo/privacy-friendly-qr-scanner
For example, the QR code sirico@feddit.uk posted (it can scan from a saved picture too) shows me this;
An oldie but a goodie:
How would you make an arbitrary QR code have a verifiable signature?
I can see a system where you have to scan the QR code in a specific app for that purpose (e.g. a dedicated QR code payment app which approved businesses sign up to, which either includes or remotely queries a database of valid endpoints). At that point though, where you’re requiring a dedicated app anyway, you may as well invent your own 2D code system with blackjack, hookers and signing. But yeah, I don’t understand how this would work otherwise. QR codes just aren’t made for security. They shouldn’t be used anywhere security is required.
no, please dont give more leverage for these people to put more invasive apps on my phone
QR codes just aren’t made for security. They shouldn’t be used anywhere security is required.
I get what you’re saying but it’s at least a little bit funny that they are regularly used for security in the form of scan to login (e.g. Steam), verify your session (e.g. Matrix), etc. Of course these are in a closed ecosystem so the QR code itself is not the security. But I just found it funny you said that when 90% of my QR code usage is for security.
I mean, generating a one time QR code for login is one thing. It’s the equivalent of a one time password. But a permanent QR code is not that. They still aren’t inherently secure, but they can be used in situations where showing a code in plain text would be just as secure.
Yeah, my language was overly broad. You can use QR codes as part of a system where the security is going on elsewhere, but the integrity of the QR code itself isn’t something that can be relied on for security.
I mean it’s more like it’s used to transfer small amounts of data over a visual medium in those cases. Basically just a shortcut over having to type a whole string of characters manually.
Well, by using a QR code you don’t have to invent your own 2D system, as blackjack and hookers aren’t really necessary.
Just make your own URI protocol, and encode any signature in the link. Bonus if you can register your protocol in Android or IOS, but I don’t know if this is possible.
This is how our COVID vaccination certificate QR codes worked
Many QR codes today are designed to be scanned in a general QR app and then launch their specific app. Not sure how the markup works exactly, but I’ve seen it work like that.
If you’re running a public service, you should have a key that’s trusted by a CA anyway. So why couldn’t you, especially for qr codes that link to an https site, embed a signature in that qr code that verifies that the person that owns parkyourcar.com’s private key also created the code you just scanned? Just like signed pdfs?
Okay and what happens when I overwrite that qr code with one that points to downloadvirus.com? How is a client supposed to know that the qr code isn’t supposed to be here?
Just pay a public CA everytime you make one /s
A verifiable signature could be created but the use of public keys lets malicious actors to sign using the same key
You can’t use public keys to sign anything. You need the private one.
I remember thinking this years ago when I saw a QR code for paying for parking. I don’t want to buy a printer though, otherwise I would have printed one to link here.
gXcQ - link stays blue.
Nice try.
What app you using that gave you that preview?
Voyager (wefwef). Great app. Just realized they’ve got newer link
I just like his music
Me too I actually like getting rickrolled
What app is that?
Looks like Voyager
It’s Voyager (formerly wefwef). It’s a Lemmy clone of Apollo but also works on Android which is pretty cool
