How would you make an arbitrary QR code have a verifiable signature?
this post was submitted on 14 Mar 2025
485 points (98.6% liked)
Comic Strips
23491 readers
1958 users here now
Comic Strips is a community for those who love comic stories.
Rules
-
π Be Nice!
- Treat others with respect and dignity. Friendly banter is okay, as long as it is mutual; keyword: friendly.
-
ποΈ Community Standards
- Comics should be a full story, from start to finish, in one post.
- Posts should be safe and enjoyable by the majority of community members, both here on lemmy.world and other instances.
- Any comic that would qualify as raunchy, lewd, or otherwise draw unwanted attention by nosy coworkers, spouses, or family members should be tagged as NSFW.
- Moderators have final say on what and what does not qualify as appropriate. Use common sense, and if need be, err on the side of caution.
-
𧬠Keep it Real
- Comics should be made and posted by real human beans, not by automated means like bots or AI. This is not the community for that sort of thing.
-
π½οΈ Credit Where Credit is Due
- Comics should include the original attribution to the artist(s) involved, and be unmodified. Bonus points if you include a link back to their website. When in doubt, use a reverse image search to try to find the original version. Repeat offenders will have their posts removed, be temporarily banned from posting, or if all else fails, be permanently banned from posting.
- Attributions include, but are not limited to, watermarks, links, or other text or imagery that artists add to their comics to use for identification purposes. If you find a comic without any such markings, it would be a good idea to see if you can find an original version. If one cannot be found, say so and ask the community for help!
-
π Post Formatting
- Post an image, gallery, or link to a specific comic hosted on another site; e.g., the author's website.
- Meta posts about the community should be tagged with [Meta] either at the beginning or the end of the post title.
- When linking to a comic hosted on another site, ensure the link is to the comic itself and not just to the website; e.g.,
β Correct: https://xkcd.com/386/
β Incorrect: https://xkcd.com/
-
π¬ Post Frequency/SPAM
- Each user (regardless of instance) may post up to five (5 π) comics a day. This can be any combination of personal comics you have written yourself, or other author's comics. Any comics exceeding five (5 π) will be removed.
-
π΄ββ οΈ Internationalization (i18n)
- Non-English posts are welcome. Please tag the post title with the original language, and include an English translation in the body of the post; e.g.,
SΓ, por favor [Spanish/EspaΓ±ol]
- Non-English posts are welcome. Please tag the post title with the original language, and include an English translation in the body of the post; e.g.,
-
πΏ Moderation
- We are human, just like most everybody else on Lemmy. If you feel a moderation decision was made in error, you are welcome to reach out to anybody on the moderation team for clarification. Keep in mind that moderation decisions may be final.
- When reporting posts and/or comments, quote which rule is being broken, and why you feel it broke the rules.
Banned Artists
The following artists are banned from the community.
- Jago
- Stonetoss
It should be noted that when you make reports, it is your responsibility to provide rational reasoning why something should be removed. Saying it simply breaks community rules is not always good enough.
Web Accessibility
Note: This is not a rule, but a helpful suggestion.
When posting images, you should strive to add alt-text for screen readers to use to describe the image you're posting:
Another helpful thing to do is to provide a transcription of the text in your images, as well as brief descriptions of what's going on. (example)
Web of Links
- !linuxmemes@lemmy.world: "I use Arch btw"
- !memes@lemmy.world: memes (you don't say!)
founded 2 years ago
MODERATORS
I can see a system where you have to scan the QR code in a specific app for that purpose (e.g. a dedicated QR code payment app which approved businesses sign up to, which either includes or remotely queries a database of valid endpoints). At that point though, where you're requiring a dedicated app anyway, you may as well invent your own 2D code system with blackjack, hookers and signing. But yeah, I don't understand how this would work otherwise. QR codes just aren't made for security. They shouldn't be used anywhere security is required.
QR codes just aren't made for security. They shouldn't be used anywhere security is required.
I get what you're saying but it's at least a little bit funny that they are regularly used for security in the form of scan to login (e.g. Steam), verify your session (e.g. Matrix), etc. Of course these are in a closed ecosystem so the QR code itself is not the security. But I just found it funny you said that when 90% of my QR code usage is for security.
I mean, generating a one time QR code for login is one thing. It's the equivalent of a one time password. But a permanent QR code is not that. They still aren't inherently secure, but they can be used in situations where showing a code in plain text would be just as secure.
Yeah, my language was overly broad. You can use QR codes as part of a system where the security is going on elsewhere, but the integrity of the QR code itself isn't something that can be relied on for security.
I mean it's more like it's used to transfer small amounts of data over a visual medium in those cases. Basically just a shortcut over having to type a whole string of characters manually.
no, please dont give more leverage for these people to put more invasive apps on my phone
Well, by using a QR code you don't have to invent your own 2D system, as blackjack and hookers aren't really necessary.
Just make your own URI protocol, and encode any signature in the link. Bonus if you can register your protocol in Android or IOS, but I don't know if this is possible.
Apps an indeed register URL schemes with their domain or chosen protocols to open by default on Android.
Many QR codes today are designed to be scanned in a general QR app and then launch their specific app. Not sure how the markup works exactly, but Iβve seen it work like that.
This is how our COVID vaccination certificate QR codes worked
If you're running a public service, you should have a key that's trusted by a CA anyway. So why couldn't you, especially for qr codes that link to an https site, embed a signature in that qr code that verifies that the person that owns parkyourcar.com's private key also created the code you just scanned? Just like signed pdfs?
Okay and what happens when I overwrite that qr code with one that points to downloadvirus.com? How is a client supposed to know that the qr code isn't supposed to be here?
load more comments
(9 replies)
Just pay a public CA everytime you make one /s
You pay CAs for certificate issuance, not for signing. You could sign all the QR codes in a city with a single CA-issued certificate as long as the standards for it were all accepted.
load more comments
(3 replies)
Find yourself a QR scanner that gives you a preview of what the code is before sending you to the open web.
I like this one, found it on F-droid. "QR Scanner (PFA)" https://github.com/SecUSo/privacy-friendly-qr-scanner
For example, the QR code sirico@feddit.uk posted (it can scan from a saved picture too) shows me this;
Wait, do normie phone, just, instantly open an untrusted website? The camera on LineageOS has a "scan" mode where it shows the data of scanned QR codes before you make an action.
They show you a tiny pop up with some of the URL. Not all of it. You click that and it goes right to it.
Yup, modern security at its finest. Normie's don't stand a chance.
I wish email clients would do something similar, especially for Formatted links.
Open up a big popup that shows the full sender address, the full link, and underline/color any numbers so its clear AMAZ0N.com is b.s.
FairEmail for Android shows a popup with the actual link.
I remember thinking this years ago when I saw a QR code for paying for parking. I don't want to buy a printer though, otherwise I would have printed one to link here.
Nice try.
I just like his music
Me too I actually like getting rickrolled
What app you using that gave you that preview?
What app is that?
It's Voyager (formerly wefwef). It's a Lemmy clone of Apollo but also works on Android which is pretty cool
gXcQ - link stays blue.
XcQ - no click for you.
For some reason this didn't really occur to me.
I don't see QR codes as a potential attack vector... At least, I didn't.... Until now.
It's weird because I'm usually the one pointing out issues with everyone else's plans.... I didn't realize I still had blind spots on this. Oh well, I'm only human.
It's not like the code will straight up send money somewhere the moment you scan it. Can they even do more than open an app or a website? The default scanner with my Pixel doesn't even open it without first telling you where it's going.
Due to the limited amount of information stored in QR codes, it's generally a shortened URL, so usually that doesn't tremendously help at informing where you are supposed to end up.
If you're trying to do something unique, that you don't normally do, which IMO is the entire use-case of QR codes (go here to do the thing), and you're expecting.... Say, a website for paying for parking, then.... It wouldn't be hard for an attacker to create their own mock-up of the site, grab the URL and feed it through a shortener, and encode that into a QR code, printed on stickers, that they them plaster over the legit QR codes.
Unless you're looking at the URL, and let's face it, most people don't, the sites are similar enough that they are just handing their credit card info over to an attacker, thinking they're paying for parking.
Of course, that's just one of many examples.
Personally, I don't generally trust anything I scan. Most of the time, the QR code has a website name printed next to it, and I'll scan the QR, because if it works and goes where I want to end up, so much the better, so I will follow the link, and if it lands at any URL that isn't what is displayed on the label with the QR code, I back out and type in the URL by hand.
I expect exactly zero users to have the same caution and attention to detail.
Neat!
view more: next βΊ