this post was submitted on 14 Mar 2025
463 points (98.5% liked)

Comic Strips

15171 readers
1063 users here now

Comic Strips is a community for those who love comic stories.

The rules are simple:

Web of links

founded 2 years ago
MODERATORS
lawrence@lemmy.world
463
Quishing (discuss.tchncs.de)
submitted 2 days ago by noerdman@discuss.tchncs.de to c/comicstrips@lemmy.world
51 comments fedilink hide all child comments
 

top 50 comments
sorted by: hot top controversial new old
[–] JackbyDev@programming.dev 1 points 6 hours ago (1 children)

How would signing help here??

[–] HeurtisticAlgorithm9@feddit.uk 1 points 2 hours ago

Proof of authenticity

[–] MystikIncarnate@lemmy.ca 9 points 1 day ago (1 children)

For some reason this didn't really occur to me.

I don't see QR codes as a potential attack vector... At least, I didn't.... Until now.

It's weird because I'm usually the one pointing out issues with everyone else's plans.... I didn't realize I still had blind spots on this. Oh well, I'm only human.

[–] Kolanaki@pawb.social 4 points 19 hours ago* (last edited 19 hours ago) (1 children)

It's not like the code will straight up send money somewhere the moment you scan it. Can they even do more than open an app or a website? The default scanner with my Pixel doesn't even open it without first telling you where it's going.

[–] MystikIncarnate@lemmy.ca 2 points 8 hours ago

Due to the limited amount of information stored in QR codes, it's generally a shortened URL, so usually that doesn't tremendously help at informing where you are supposed to end up.

If you're trying to do something unique, that you don't normally do, which IMO is the entire use-case of QR codes (go here to do the thing), and you're expecting.... Say, a website for paying for parking, then.... It wouldn't be hard for an attacker to create their own mock-up of the site, grab the URL and feed it through a shortener, and encode that into a QR code, printed on stickers, that they them plaster over the legit QR codes.

Unless you're looking at the URL, and let's face it, most people don't, the sites are similar enough that they are just handing their credit card info over to an attacker, thinking they're paying for parking.

Of course, that's just one of many examples.

Personally, I don't generally trust anything I scan. Most of the time, the QR code has a website name printed next to it, and I'll scan the QR, because if it works and goes where I want to end up, so much the better, so I will follow the link, and if it lands at any URL that isn't what is displayed on the label with the QR code, I back out and type in the URL by hand.

I expect exactly zero users to have the same caution and attention to detail.

[–] helpImTrappedOnline@lemmy.world 30 points 1 day ago* (last edited 1 day ago) (1 children)

Find yourself a QR scanner that gives you a preview of what the code is before sending you to the open web.

I like this one, found it on F-droid. "QR Scanner (PFA)" https://github.com/SecUSo/privacy-friendly-qr-scanner

For example, the QR code sirico@feddit.uk posted (it can scan from a saved picture too) shows me this;

[–] yonder@sh.itjust.works 11 points 1 day ago (2 children)

Wait, do normie phone, just, instantly open an untrusted website? The camera on LineageOS has a "scan" mode where it shows the data of scanned QR codes before you make an action.

[–] helpImTrappedOnline@lemmy.world 7 points 1 day ago* (last edited 20 hours ago) (1 children)

Yup, modern security at its finest. Normie's don't stand a chance.

I wish email clients would do something similar, especially for Formatted links.

Open up a big popup that shows the full sender address, the full link, and underline/color any numbers so its clear AMAZ0N.com is b.s.

[–] Gobbel2000@programming.dev 1 points 19 hours ago

FairEmail for Android shows a popup with the actual link.

[–] Maggoty@lemmy.world 9 points 1 day ago* (last edited 1 day ago)

They show you a tiny pop up with some of the URL. Not all of it. You click that and it goes right to it.

[–] baggins@lemmy.ca 53 points 2 days ago* (last edited 2 days ago) (6 children)

How would you make an arbitrary QR code have a verifiable signature?

[–] vaguerant@fedia.io 56 points 2 days ago (5 children)

I can see a system where you have to scan the QR code in a specific app for that purpose (e.g. a dedicated QR code payment app which approved businesses sign up to, which either includes or remotely queries a database of valid endpoints). At that point though, where you're requiring a dedicated app anyway, you may as well invent your own 2D code system with blackjack, hookers and signing. But yeah, I don't understand how this would work otherwise. QR codes just aren't made for security. They shouldn't be used anywhere security is required.

[–] umbrella@lemmy.ml 21 points 1 day ago

no, please dont give more leverage for these people to put more invasive apps on my phone

[–] Dave@lemmy.nz 24 points 2 days ago* (last edited 2 days ago) (2 children)

QR codes just aren't made for security. They shouldn't be used anywhere security is required.

I get what you're saying but it's at least a little bit funny that they are regularly used for security in the form of scan to login (e.g. Steam), verify your session (e.g. Matrix), etc. Of course these are in a closed ecosystem so the QR code itself is not the security. But I just found it funny you said that when 90% of my QR code usage is for security.

[–] rockerface@lemm.ee 23 points 2 days ago (1 children)

I mean, generating a one time QR code for login is one thing. It's the equivalent of a one time password. But a permanent QR code is not that. They still aren't inherently secure, but they can be used in situations where showing a code in plain text would be just as secure.

[–] vaguerant@fedia.io 8 points 2 days ago

Yeah, my language was overly broad. You can use QR codes as part of a system where the security is going on elsewhere, but the integrity of the QR code itself isn't something that can be relied on for security.

[–] Fiery@lemmy.dbzer0.com 7 points 2 days ago

I mean it's more like it's used to transfer small amounts of data over a visual medium in those cases. Basically just a shortcut over having to type a whole string of characters manually.

[–] mmddmm@lemm.ee 3 points 2 days ago (1 children)

Well, by using a QR code you don't have to invent your own 2D system, as blackjack and hookers aren't really necessary.

Just make your own URI protocol, and encode any signature in the link. Bonus if you can register your protocol in Android or IOS, but I don't know if this is possible.

[–] Natanael@infosec.pub 2 points 13 hours ago

Apps an indeed register URL schemes with their domain or chosen protocols to open by default on Android.

[–] baggins@lemmy.ca 1 points 2 days ago

This is how our COVID vaccination certificate QR codes worked

[–] ch00f@lemmy.world 1 points 2 days ago

Many QR codes today are designed to be scanned in a general QR app and then launch their specific app. Not sure how the markup works exactly, but I’ve seen it work like that.

[–] Asetru@feddit.org 9 points 2 days ago (1 children)

If you're running a public service, you should have a key that's trusted by a CA anyway. So why couldn't you, especially for qr codes that link to an https site, embed a signature in that qr code that verifies that the person that owns parkyourcar.com's private key also created the code you just scanned? Just like signed pdfs?

[–] themoonisacheese@sh.itjust.works 21 points 2 days ago (1 children)

Okay and what happens when I overwrite that qr code with one that points to downloadvirus.com? How is a client supposed to know that the qr code isn't supposed to be here?

[–] Bilaketari@reddthat.com 0 points 1 day ago (2 children)

Well, because it won't be signed by a trusted CA for that task. Like if CAs had a category of certificate issuance that applied here (the standardisation issue) then it would be easy to spot a fake (which wouldn't be correctly signed). Alternatively, you could take the European approach of having everything government related (like public street parking, though Europe mostly uses apps for that, not signed QR codes) rely on government entities and those in turn on a national set of government CAs.

[–] Aux@feddit.uk 2 points 1 day ago (1 children)

That doesn't make any sense. How would you know if something should or should not be signed? You wouldn't.

[–] Bilaketari@reddthat.com 1 points 19 hours ago (1 children)

If it becomes standard for public parking to be signed, everyone would know. If payment QR codes in general start being signed, your payment app might even know. Lastly there could even be signage by the code to help novices.

[–] Aux@feddit.uk 1 points 19 hours ago (1 children)

The point of a code is to not have an app in the first place. Thus there's no way to validate it.

[–] Bilaketari@reddthat.com 1 points 18 hours ago

It wouldn't need a separate app if, for instance, a standard QR payment format way created. If you just want a link to a website to pay, then naturally that would be less secure, but you could always put the URL below the QR code for redundancy (QR would only save time typing then).

[–] themoonisacheese@sh.itjust.works 1 points 1 day ago (1 children)

Very cool. Why would anyone use qr codes then? When you can just write a url and that's free

[–] Bilaketari@reddthat.com 2 points 19 hours ago (1 children)

QR codes are mostly meant to let you get an amount of info (they're mostly text-based) without having to type or enter it manually when you might make mistakes or when the process is just faster for the amount of text involved.

[–] themoonisacheese@sh.itjust.works 2 points 14 hours ago

Yeah, I know. Why would anyone ever use them if creating one required a certificate? If the certificate was so cheap as to not be an obstacle then it wouldn't be a deterrent to malicious replacement of codes either.

[–] 0tan0d@lemmy.world 2 points 2 days ago (1 children)

Just pay a public CA everytime you make one /s

[–] Bilaketari@reddthat.com 2 points 1 day ago

You pay CAs for certificate issuance, not for signing. You could sign all the QR codes in a city with a single CA-issued certificate as long as the standards for it were all accepted.

load more comments (3 replies)
[–] Korhaka@sopuli.xyz 28 points 2 days ago (2 children)

I remember thinking this years ago when I saw a QR code for paying for parking. I don't want to buy a printer though, otherwise I would have printed one to link here.

[–] fin@sh.itjust.works 51 points 2 days ago (3 children)

Nice try.

[–] Korhaka@sopuli.xyz 18 points 2 days ago (1 children)

I just like his music

[–] Mothra@mander.xyz 7 points 2 days ago

Me too I actually like getting rickrolled

[–] gothic_lemons@lemmy.world 6 points 1 day ago (1 children)

What app you using that gave you that preview?

[–] fin@sh.itjust.works 6 points 1 day ago

Voyager (wefwef). Great app. Just realized they've got newer link

https://vger.app/

[–] criitz@reddthat.com 4 points 2 days ago (2 children)

What app is that?

[–] fin@sh.itjust.works 1 points 2 days ago

It's Voyager (formerly wefwef). It's a Lemmy clone of Apollo but also works on Android which is pretty cool

http://wefwef.app/

[–] AtariDump@lemmy.world 4 points 1 day ago (1 children)

gXcQ - link stays blue.

[–] Ifeelya@lemmy.world 4 points 1 day ago

XcQ - no click for you.

[–] pantyhosewimp@lemmynsfw.com 6 points 1 day ago

An oldie but a goodie:

https://wtfqrcodes.tumblr.com/

[–] sirico@feddit.uk 3 points 2 days ago (1 children)

load more comments
view more: next ›