• gila@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    10 months ago

    My whole point is that the perfectly good extant solutions are equally flawed. QR codes don’t create a situation where e.g mimicing a website is easier. It is already easy. It is not any more difficult to mimic a website with a fake domain name purposefully named in plaintext in a way to deceive.

    Literally the only difference is you are looking at letters, which you are confident in your ability to parse, with a code which you are not. A URL being short and easy to type doesn’t make it less likely to be malicious.

    The key thing to remember is that yours, my, everyone’s assessment of perceived risk is very incomplete. Your specific comfort with plaintext is itself a potential attack vector. So an approach to privacy/security where you simply avoid all possible circumstances with any perceived risk attached to them is a shitty approach. Engaging with an acceptable risk level is the only way to teach yourself vigilance.

    People recently started seeing QR codes everywhere and feel confronted by this new reality, that’s natural. But the truth is that this is fear of QR codes is irrational where it is not reconciled with the perceived risk of generally using the internet and following links. There might be a difference in the physical characteristics of the link format, but in terms of computer security the difference doesn’t matter.

    Just because some commenters here remember seeing a CVE in 2016, or read about QRgen one time, doesn’t mean QR code protocol is inherently vulnerable. It is in fact quite ridiculous to suggest that would be the case and all the manufacturers would continue to support it.