How would signing help here??
this post was submitted on 14 Mar 2025
480 points (98.6% liked)
Comic Strips
15976 readers
1800 users here now
Comic Strips is a community for those who love comic stories.
The rules are simple:
- The post can be a single image, an image gallery, or a link to a specific comic hosted on another site (the author's website, for instance).
- The comic must be a complete story.
- If it is an external link, it must be to a specific story, not to the root of the site.
- You may post comics from others or your own.
- If you are posting a comic of your own, a maximum of one per week is allowed (I know, your comics are great, but this rule helps avoid spam).
- The comic can be in any language, but if it's not in English, OP must include an English translation in the post's 'body' field (note: you don't need to select a specific language when posting a comic).
- Politeness.
- Adult content is not allowed. This community aims to be fun for people of all ages.
Web of links
- [email protected]: "I use Arch btw"
- [email protected]: memes (you don't say!)
founded 2 years ago
MODERATORS
Proof of authenticity
How though? You can still get TLS certificates for fake websites. Why do you think you couldn't properly sign a fake QR code?
No, like an actual human signature.
For some reason this didn't really occur to me.
I don't see QR codes as a potential attack vector... At least, I didn't.... Until now.
It's weird because I'm usually the one pointing out issues with everyone else's plans.... I didn't realize I still had blind spots on this. Oh well, I'm only human.
It's not like the code will straight up send money somewhere the moment you scan it. Can they even do more than open an app or a website? The default scanner with my Pixel doesn't even open it without first telling you where it's going.
Due to the limited amount of information stored in QR codes, it's generally a shortened URL, so usually that doesn't tremendously help at informing where you are supposed to end up.
If you're trying to do something unique, that you don't normally do, which IMO is the entire use-case of QR codes (go here to do the thing), and you're expecting.... Say, a website for paying for parking, then.... It wouldn't be hard for an attacker to create their own mock-up of the site, grab the URL and feed it through a shortener, and encode that into a QR code, printed on stickers, that they them plaster over the legit QR codes.
Unless you're looking at the URL, and let's face it, most people don't, the sites are similar enough that they are just handing their credit card info over to an attacker, thinking they're paying for parking.
Of course, that's just one of many examples.
Personally, I don't generally trust anything I scan. Most of the time, the QR code has a website name printed next to it, and I'll scan the QR, because if it works and goes where I want to end up, so much the better, so I will follow the link, and if it lands at any URL that isn't what is displayed on the label with the QR code, I back out and type in the URL by hand.
I expect exactly zero users to have the same caution and attention to detail.
Find yourself a QR scanner that gives you a preview of what the code is before sending you to the open web.
I like this one, found it on F-droid. "QR Scanner (PFA)" https://github.com/SecUSo/privacy-friendly-qr-scanner
For example, the QR code [email protected] posted (it can scan from a saved picture too) shows me this;
Wait, do normie phone, just, instantly open an untrusted website? The camera on LineageOS has a "scan" mode where it shows the data of scanned QR codes before you make an action.
Yup, modern security at its finest. Normie's don't stand a chance.
I wish email clients would do something similar, especially for Formatted links.
Open up a big popup that shows the full sender address, the full link, and underline/color any numbers so its clear AMAZ0N.com is b.s.
FairEmail for Android shows a popup with the actual link.
They show you a tiny pop up with some of the URL. Not all of it. You click that and it goes right to it.
Neat!
I remember thinking this years ago when I saw a QR code for paying for parking. I don't want to buy a printer though, otherwise I would have printed one to link here.
gXcQ - link stays blue.
XcQ - no click for you.
Nice try.
What app you using that gave you that preview?
What app is that?
It's Voyager (formerly wefwef). It's a Lemmy clone of Apollo but also works on Android which is pretty cool
I just like his music
Me too I actually like getting rickrolled
view more: next ›