• vaguerant@fedia.io
      link
      fedilink
      arrow-up
      55
      arrow-down
      2
      ·
      1 day ago

      I can see a system where you have to scan the QR code in a specific app for that purpose (e.g. a dedicated QR code payment app which approved businesses sign up to, which either includes or remotely queries a database of valid endpoints). At that point though, where you’re requiring a dedicated app anyway, you may as well invent your own 2D code system with blackjack, hookers and signing. But yeah, I don’t understand how this would work otherwise. QR codes just aren’t made for security. They shouldn’t be used anywhere security is required.

      • umbrella@lemmy.ml
        link
        fedilink
        arrow-up
        20
        ·
        23 hours ago

        no, please dont give more leverage for these people to put more invasive apps on my phone

      • Dave@lemmy.nz
        link
        fedilink
        arrow-up
        22
        ·
        edit-2
        1 day ago

        QR codes just aren’t made for security. They shouldn’t be used anywhere security is required.

        I get what you’re saying but it’s at least a little bit funny that they are regularly used for security in the form of scan to login (e.g. Steam), verify your session (e.g. Matrix), etc. Of course these are in a closed ecosystem so the QR code itself is not the security. But I just found it funny you said that when 90% of my QR code usage is for security.

        • rockerface 🇺🇦@lemm.ee
          link
          fedilink
          arrow-up
          22
          arrow-down
          1
          ·
          1 day ago

          I mean, generating a one time QR code for login is one thing. It’s the equivalent of a one time password. But a permanent QR code is not that. They still aren’t inherently secure, but they can be used in situations where showing a code in plain text would be just as secure.

          • vaguerant@fedia.io
            link
            fedilink
            arrow-up
            7
            ·
            1 day ago

            Yeah, my language was overly broad. You can use QR codes as part of a system where the security is going on elsewhere, but the integrity of the QR code itself isn’t something that can be relied on for security.

        • Fiery@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          7
          ·
          1 day ago

          I mean it’s more like it’s used to transfer small amounts of data over a visual medium in those cases. Basically just a shortcut over having to type a whole string of characters manually.

      • mmddmm@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        1 day ago

        Well, by using a QR code you don’t have to invent your own 2D system, as blackjack and hookers aren’t really necessary.

        Just make your own URI protocol, and encode any signature in the link. Bonus if you can register your protocol in Android or IOS, but I don’t know if this is possible.

      • ch00f@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 day ago

        Many QR codes today are designed to be scanned in a general QR app and then launch their specific app. Not sure how the markup works exactly, but I’ve seen it work like that.

    • Asetru@feddit.org
      link
      fedilink
      arrow-up
      9
      arrow-down
      2
      ·
      1 day ago

      If you’re running a public service, you should have a key that’s trusted by a CA anyway. So why couldn’t you, especially for qr codes that link to an https site, embed a signature in that qr code that verifies that the person that owns parkyourcar.com’s private key also created the code you just scanned? Just like signed pdfs?

        • Caedarai@reddthat.com
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          10 hours ago

          Well, because it won’t be signed by a trusted CA for that task. Like if CAs had a category of certificate issuance that applied here (the standardisation issue) then it would be easy to spot a fake (which wouldn’t be correctly signed). Alternatively, you could take the European approach of having everything government related (like public street parking, though Europe mostly uses apps for that, not signed QR codes) rely on government entities and those in turn on a national set of government CAs.

          • Aux@feddit.uk
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 hours ago

            That doesn’t make any sense. How would you know if something should or should not be signed? You wouldn’t.

      • Caedarai@reddthat.com
        link
        fedilink
        arrow-up
        2
        ·
        10 hours ago

        You pay CAs for certificate issuance, not for signing. You could sign all the QR codes in a city with a single CA-issued certificate as long as the standards for it were all accepted.

      • Caedarai@reddthat.com
        link
        fedilink
        arrow-up
        3
        ·
        10 hours ago

        This seems to be a gross misunderstanding of public key cryptography. Public keys allow you to verify an existing signature is valid and made by the correct entity, but they absolutely don’t allow you to forge a signature: that’s actually what they are designed to prevent.