It's the same with or without the QR code.

Say you're on the bus stop and want to check upcoming buses (real stuff in the place where I live).

The bus company could either slap a QR code, or a "bit.ly/bus-stop-1234" URL. And someone could paste over it a "evil.com/bus-stop-1234".

Hint: use Firefox Focus as your default handler for URLs on mobile phone. It clears all history and cookies after each usage, which is perfect for opening unknown URLs.

I'm looking forward to 20 years from now when all QR codes have to be digitally signed to be valid, and the digital signature must be authorized by a certificate authority in your phone.

And what would the benefit be from that?

That is how HTTPS works today, and does not protect you against phishing at all.

Maybe if the QR reader gave you the CN and domain of the certificate so you at least knew who signed it.

You scan your bust stop and it says "Verified Signed by City, County Bus service" instead of "anonymous asshole".

Not perfect, but it at least gives the users a chance unlike the blind redirect situation we have now.

Signed by "Mobile Transportation Services inc."

Having just navigated through a bunch of forms on my councils website I can verify that the following people are all on certificates at different points:

* a freelance web dev * two design agencies * nobody (plain lets encryot) * a payments middle man company (stylised like "EZ pay") * the council themselves (on the confirmation pages...)

So I would hazard a guess that "Mobile Transportation Services inc." ie a little too sensible to be trustworthy...

This sounds just like EV certificates, and they have not been shown to work very well.

(There have been many articles explaining why, here is one: https://www.troyhunt.com/extended-validation-certificates-ar... )

"Vеrifiеd Signеd Ву Citу, сountу Вus sеrviсе"

Paste that string into google, and tell me if you get the results you expect. You'll get a lot of Russian. Think people might go for that? There was an attack a while back where bad guys registered "adoḅe.com" and distributed malware. EV doesn't work.

Then you'll get "Verified Signed by Citÿ, County Bus service"

> And what would the benefit be from that?

Some assholes operating a digital signing authority get rich; good for you if you're one of them.

Sorry, I was being sarcastic.

EV would but that’s being killed off.

'cause EV didn't actually validate that, while claiming to. It was false security.

I don't. I like to be able to transfer data from my PC to my phone via QR codes; print out QR codes pointing to the latest photo album and and give them to friends; finding QR links on "garage sale" signs (real thing that happened today).

Requiring signatures will likely kill those applications.

It's incorrect to assume that the existence of signature validation would kill this use-case.

Similar to how the existence of HTTPS does not kill the ability to transmit data over HTTP and visit sites with no certificate or a non-trusted certificate.

It could be as simple as a pop-up saying, "this QR code is not validated, continue anyway"?

I've also heard of QR-reader software being exploitable through QR codes that they're supposed to read.

So any time I see a QR code, I hesitate to point a reader app at it because I'm concerned that my phone could get hacked through it.

It would be really hard for a QR app to take over your phone, even if it is poorly written and gets owned. There are layers of protection below the aps on an OS like iOS. I'm not saying it's absolutely impossible, but if someone figured it out they could sell the technique for literally millions of dollars to a huge assortment of potential buyers. They probably aren't going to waste it on you.

My phone is a rooted Android phone, though.

Then don't give the QR app root.

That's the case for any software that accepts any kind of input.

Your browser, your PDF viewer, your messenger are just more popular, but not fundamentally different from a QR reader application.

Years ago, WinAmp on Windows was exploitable through a maliciously prepared .m3u playlist: a simple plain text file expected to be filled with pathnames of songs, one per line.

If you're so scared, don't browse anything with your mobile device; browsers are exploitable through pages they land on.

I don't see how it can be made less dangerous. The QR code is read and decoded to a URL. The QR code is now gone, and it is the URL that is dangrous. The URL is dangerous no matter how you got it.

On mobile devices, you can't hover the mouse pointer over a link to see where you're going. That's subtantially more dangerous than a URL reader which shows you the URL.