Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm looking forward to 20 years from now when all QR codes have to be digitally signed to be valid, and the digital signature must be authorized by a certificate authority in your phone.


And what would the benefit be from that?

That is how HTTPS works today, and does not protect you against phishing at all.


Maybe if the QR reader gave you the CN and domain of the certificate so you at least knew who signed it.

You scan your bust stop and it says "Verified Signed by City, County Bus service" instead of "anonymous asshole".

Not perfect, but it at least gives the users a chance unlike the blind redirect situation we have now.


Signed by "Mobile Transportation Services inc."


Having just navigated through a bunch of forms on my councils website I can verify that the following people are all on certificates at different points:

* a freelance web dev * two design agencies * nobody (plain lets encryot) * a payments middle man company (stylised like "EZ pay") * the council themselves (on the confirmation pages...)

So I would hazard a guess that "Mobile Transportation Services inc." ie a little too sensible to be trustworthy...


This sounds just like EV certificates, and they have not been shown to work very well.

(There have been many articles explaining why, here is one: https://www.troyhunt.com/extended-validation-certificates-ar... )


"Vеrifiеd Signеd Ву Citу, сountу Вus sеrviсе"

Paste that string into google, and tell me if you get the results you expect. You'll get a lot of Russian. Think people might go for that? There was an attack a while back where bad guys registered "adoḅe.com" and distributed malware. EV doesn't work.


Then you'll get "Verified Signed by Citÿ, County Bus service"


> And what would the benefit be from that?

Some assholes operating a digital signing authority get rich; good for you if you're one of them.


Sorry, I was being sarcastic.


EV would but that’s being killed off.


'cause EV didn't actually validate that, while claiming to. It was false security.


I don't. I like to be able to transfer data from my PC to my phone via QR codes; print out QR codes pointing to the latest photo album and and give them to friends; finding QR links on "garage sale" signs (real thing that happened today).

Requiring signatures will likely kill those applications.


It's incorrect to assume that the existence of signature validation would kill this use-case.

Similar to how the existence of HTTPS does not kill the ability to transmit data over HTTP and visit sites with no certificate or a non-trusted certificate.

It could be as simple as a pop-up saying, "this QR code is not validated, continue anyway"?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: