Before WPA3 a network with no password offers less security than a network for which everybody knows the password.
In WPA3 finally the no password ("guest") case has randomly chosen keys using RFC 8110 instead of being unencrypted, so it's equivalent security to everybody knowing the password.
I agree no password is the best outcome, and WPA3 makes that finally no more dangerous than it needs to be.
I mean turn if off once guests are gone, yes it's not safe as everything on the network can be sniffed by your nosy neighbors, you can quanrentine this guest network from your ethernet to make it less revealing. It's meant to be a one-off thing to avoid hassle. Good to know they have that in WPA3.
In WPA3 the nosy neighbours can't sniff anything. If there is no password or they know it they can do an active MITM to get between users and your Access Point because it now uses a PAKE, but active attacks can be detected and would be a bit more than "nosy neighbours". If you use anything fancier than a password (including technologies like EduRoam or GovRoam, Active Directory login, whatever) any adversary has to attack that instead.
I think the OP is making a joke about the fact that some guests who get the wifi password, may spend all their time looking at their phones instead of socializing. That happens nowadays when one throws a party or movie night.
Was wondering the same. The author didn't mention the minimum required version for Android compared to IOS, so I assumed Android must have long supported it and I always just missed it.
On another note I find it quite awkward that the feature is buried in that dialog on Android. You even need to tap on the network you want to connect to when that information is already in the qr code.
I believe it's only Android 10 onwards that has the QR Code scanning feature [1][2][3] since it was added by Google in order to support the new Wi-Fi Easy Connect standard [4] (the replacement for WPS).
If, for whatever reason, you wanted to do this with older iOS you had to use a configuration profile[2]. This would be distributed as a PList that you'd link to in the QR code. Which means the device needs to be connected to a network to download it first. A captive portal could help with that, or put it on the internet maybe protected with a geofence so you're not advertising your password to the world.
Oddly the G7 Play camera just stares dumbly at the QR.
When I use a third-party reader it shows that a password containing special characters really confuses this particular notation, since colons and semicolons are also used for field delimiters. Even if I escape them when passing the argument to qrencode, the parser app stumbles on them.
I had to install Google Lens first. When I tap join network, the reply is that I have to manually join the network. This is Android 9, and is an Android One phone (yes, still on Android 9 and not even a year old).
Update: Actually it works with the build-in Camera. Point to QR, it decodes it and shows SSID and password, there's a wifi icon button, and pressing that immediately connects.
This has been a thing for longer than I can remember. Many many years, it should only depend on what your QR scanner are capable of (and that will vary since most use their default camera app for scanning QR codes and most manufacturers ship their own - but by now I hope even older phones have it).
Android 10 made som more specific features for this, such as automatically generating the QR code for others and scanning QR directly from the wifi settings.
But on other versions, it depends on the 3rd party app you use for QR code scanning. From the screenshots, it seems like certain versions of Android have this available directly from the Wi-Fi password screen, without the need for a 3rd party application.
Are you deliberately trying to be confusing? A "bundled camera" is the exact opposite of a 3rd party app. 3rd party would mean one must install it from the playstore.
I think they added the QR code Wifi URI in Android 6, it's been a while. It's mostly an issue with apps supporting it, and to be honest I can't believe it's still not a standard feature of the camera apps on all Android devices, like the iPhone does.
I used this when setting up mesh WiFi for my parents, a few years ago. I set up a guest network and a main network; the guest network had a fairly-long password, and the main network had a very-long password, both WPA2-Personal.
I put together a two-page PDF, page size about 4 inches by 6 inches. One side had the info for the main network; the other side had the info for the guest network. "the info" included the SSID, the password, and a large QR code.
I then sent the PDF to FedEx, printed on card stock, double-sided, and laminated, with instructions to cut the excess paper away before laminating. The result was a nicely-put-together "quick reference" card that my parents can use for whatever needed. If my parents get a new phone, putting it on WiFi is as simple as a QR-code scan.
That's such a better solution for guests too, I've visited many friends where I had to crawl under their desk to see the SSID and password printed on the back of the router... because they haven't changed the factory settings.
Most ISP put this kind of QR code on the provided "modem" in France with the default Wifi password of the device.
I love QR code. I think it should be everywhere. All legal documents and forms should have one. All supermarket bills should have one.
It's a fantastic way to transition from paper to bits.
Unfortunately most users have no idea what it is. They don't know what a URL is, so a QR code is out of the question.
Plus they don't necessarily have a QR code scanner on their devices: not all phones have one by default, most laptops definitely don't. Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing. And even if all that is not a problem, your QRcode scanner may not be able to understand a particular format or will read the Wifi code but just display it while it's supposed to save it as a new access point.
Are you not concerned that QR code’s are just completely opaque URLs asking to be clicked? Do you confidently click on URLs in spam emails? Of course not since we all know URLs can point to malicious payloads. So why should we love QR code’s that could just as easily do the same.
If I’m a spammer trying to get people to click on my bogus links in my email messages, why wouldn’t I also print those same URLs as QR codes and paste them around my city with creatively enticing titles.
No more than regular url written in a paper. People write them blindly anyway, they don't know what it means nor how to read it.
But QR code are not just for URL, they can contain up to 7k, which is a lot for text and numbers. And you can have several of them, use compression, etc.
Because urls have letters & words in english that I can read and determine if the website is authentic or not as opposed to QR code that no human can read?
Have you never come across phishing scams that looked eerily authentic only to be clued in by the fake url? I can read the URL before going to the website, and unless QR codes have a step where you have to manually confirm going to the url provided by the code (most don't) then that's a security risk
Qr code readers show you the url, you have push a button to navigate to it. So it's no different than having it copied manually.
Not that it matters much for most users, as I said earlier, they blindly type url. They have no idea what it is.
You could put a warning saying "are you sure, this is going to kill your mother and steal all your money" and people would click on it if it's easy to do.
Microsoft did that research. Well, they didn't propose to kill anybody's mother but the test participants used their real bank credentials and Microsoft tested different behaviours in IE to see what would deter users from giving these credentials to a bogus site having accepted a task to log in and perform some basic operation.
Nothing.
Nothing deterred the users. Warning dialogs were clicked past, obvious problems or mismatched information was ignored. The only way to stop users from giving their credentials to bad guys was what I call Brick Wall UX. The browser has to stubbornly refuse to let you do it. Unable to complete their task the user at last gives up.
This is a teachable moment. Your users are probably not going to be smarter, better informed or more cautious at least on average than in this test.
This sounds like something which should be continuously tested, as a litmus test as to how careful people are. I don't suppose you have a link or pointed search terms for this instance?
Because urls have letters & words in english that I can read and determine if the website is authentic
You must have some super-human ability to read a computer's mind if you can grok the kind of urls that usually come in emails like https://tinyurl.com/uvc58uq
You can see what the tinyurl redirect destination URL is (value of Location response header) without also requesting that URL. Not with a typical browser configuration, but with curl or some hosted solution delivering this functionality.
Of course, if the email actually has a unique URL per recipient, then doing this gives away the fact that you interacted with the email.
The QR scanning app that I use displays the URL so I can check if it looks okay, but most of them are abbreviated using services like bit.ly, so that doesn't help much. You'd have to have a UI that lets the user step through several redirections, but that would probably confuse people.
You're shifting responsibility from developers to the users. If reading a QR code triggers a bank transaction, that's an issue with the QR scanner and the banking application.
Users cannot check if a domain is "ok" by looking at it. You visit websites to discover what's there. A few years ago it was common knowledge that ".to" is shady and ".com" looks more legit. Now we have more TLDs than I can count. How is someone supposed to check that with visual inspection?
The way it should go: you scan a QR code. It gets interpreted into something useful that doesn't cause harm.
"Hey this QR would cause a 5€ transaction to Jon Doe. OK?" That's something the user can decide upon. payment://jon-doe:5€ doesn't help much.
(Edit: reading your post again, I realize it might be exactly what you have in mind)
I was mostly thinking about URLs in untrusted contexts, like maybe from an ad you see on the street, that you want to screen by hand against malicious intent; not so much about things like your banking app example, which should always have some kind of confirmation anyway.
It really shouldn't matter to the browser what URL you enter. Maybe it's not the page you're looking for. But opening a website itself should cause no harm.
Just compare with today's internet advertising. Legit websites are still full of somewhat malicious ads. And users click on it - of course, since that's what a website is for.
What I'm trying to make clear is that there is no such case where QR scanners, browsers or application may consider a safe context where the user implicitly consents with malicious actions by the QR/website/...
> It really shouldn't matter to the browser what URL you enter.
In a world where browsers are vulnerable to remote code execution, and a world where users do not run the latest version of a browser, and in a world where zero days exist in browers, it absolutely does matter.
Do you never click URLs in emails? Of course you do, when you're confident the sender is reputable.
Parent was referencing trusted contexts: the default password printed on your wifi router, the bill a cashier just handed you for what you just bought, the legal papers you just signed, etc. The QR code just links the trusted document with trustworthy digital versions & extended content.
I'm not worried a spammer is going to get a bogus QR printed on the grocery store receipt I just received. I'm not going to scan QR codes printed & posted on subway walls for no apparent reason.
I was visiting a nature reserve where the trail opened to a resting area with some seats. A tree had a woodcut QR code on it, so I thought I'd scan it to find out more about the area.
Turns out, the QR code linked to some tracking site with a short URL. Even worse, the short URL had since been deleted, so I have no way to know the original URL it went to.
Also, as to something like a javascript exploit in a URL itself, QRs can hold a surprising amount of data, enough to max out most URL browser limits around 2,048 bytes.
At least bitly lets you look before you keep. Add a + to the end of any bitly URL to see where it goes, when it was created, and how many peole clicked it.
Clicking a link can't infect your computer with a virus anymore. As long as any vulnerabilities in QR scanner apps are reliably patched, it should be just as safe as clicking a link. There are zero-days, but that risk exists any time you're connected to the internet anyway.
The cost and risk of putting a sticker on a wall is much greater that that of sending a spam email. Legitimate advertisers already hire people for >$0 to do that. Illegitimate ones risk personal criminal prosecution because they have to be physically present.
plenty of scanners allow you to decode a code & show the url or whatever is encoded in it without opening the link & give you options so I wouldn't be concerned at all.
They can’t be used to encode very much data though. They wouldn’t be suitable for storing documents, but could be used to store the location of a document. I was trying to be clever once and thought I could encode X.509 certificates in QR codes. Even that much data was pushing the hard limits of what they can store, and became very hard to scan (I quickly realised this wasn’t actually very clever).
Even without the key they start to look pretty dense. You can definitely fit one in a QR code, they just start to become less reliable to scan (especially on cheap devices), and they go from looking nice to looking quite ugly. Technically most X.509 certs would have been within the limitations of QR codes (though I don’t think there is an upper bound to how large they can get), but I realized it just wasn’t fit for purpose and moved on to something else.
Are you using 8 bit encoding? An alphanumeric mode QR code containing base 64 encoded data provides less capacity. In binary mode even a 4096 bit RSA secret key fits while ECC keys produce smaller codes.
The qrencode tool has an 8 bit mode but not all decoders can handle binary data. For example, my phone shows me mangled results and I can't redirect them to a file. Like structured append, it doesn't seem to have much support.
The largest QR code in the standard, "version 40" - can only store 3 kilobytes at the lowest level of error correction and 1.2 kilobytes at the highest level [1]. And that's a pretty huge QR code [2]
My back-of-the-envelope calculations say you'd need 61 bits per line on a receipt just to encode UPC, quantity and price. So the largest QR code would only allow 19-50 lines. And that's without including data like the store name, special offers, means of payment and so on. Believe me, plenty of people buy more than 50 items in their supermarket christmas shop :)
Standardised digital receipts would be neat but, QR codes encoding the data ain't the way to go about it.
Seems like the obvious thing would be to have the QR code contain a "receipt ID" (UUID?) in a URL.
When the QR code is scanned, the browser opens to the URL, the remote side takes your "receipt ID", and presents you with a list of all the items you purchased.
I can't imagine any decent-sized retailer isn't already maintaining records like this.
See, one of the useful properties of a paper receipt is that, once you receive it, you can be fairly confident about the ~one way you're going to lose it
1.2 kilobytes = 9.6 kilobits. If you need 61 bits per line, you’ve got enough bits for 157 lines. 393 lines if we go with 3 kilobytes. I think you may have used 61 bytes per line in your calculation rather than 61 bits.
Yes.. I had made a form that was scanned and all the metadata for the page was stored in datamatrix at the bottom.. With a laser printer and a good scanner you can reliably put a lot of data in there...
4K is around the point where some devices will start to have issues scanning. Also, crypto wallets won’t usually give you the private key, instead they’ll give you the 12 word BIP39 seed phrase which will be around 70-80 bytes.
You either use URL or custom app to scan Qrcode. You can't encode arbitrary data and expect universal reader being able to interpret it. And URL is actually good way to store small amounts of data, because you can launch web app to handle it and it's compatible with any device.
They are not generic QR codes, but encoded instructions to access specific in-app features in WeChat/AliPay. If you scan those special codes with generic QR readers, you get invalid URLs.
IMO this makes it even worse to use generic QR codes, because if a QR code cannot be parsed by WeChat/AliPay, most Chinese users do not know what to do with it.
> Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing.
You can use that if you wish, however there is an entirely separate and dedicated QR reader built into iOS that is accessible from control center. The icon to launch it is even a QR code which eliminates such “confusion”.
Huh, I had no idea there was a dedicated QR reader "app", since it's not a default icon (you have to add it from within Settings), and there's no actual app. But it's there!
Interesting they added that when the camera app already scans QR codes. I wonder if it's an enterprise thing for devices in the field, where companies want to prevent the camera app (no photos), but need to scan codes.
Current Android WiFi list has a dedicated QR Code button next to it, so it should become more accessible in half a year when most people are on Android 10
This data [1] from google is a bit old (from May 2019), but shows about 10% on Android 9, and maybe a third on Android 8+; to get 50%+ (the common interpretation of most) you're looking at Android 7+, and that was released three years before the stats. Maybe, if uptake of 10 is as good as 7+, we'll see most people on Android being able to use this in 2022.
Project Trebble made a huge difference, and Android 9, which is one year old, is already at 48% market share. This is so much faster than older Android upgrades before it.
Stats from different places are going to show different trends. Google's stats are a lot closer to all of the Android market than PornHub's. It's unfortunate that Google is slow to update. But it might be interesting to look at trends in PornHub's data, if they provide it over multiple years.
> Unfortunately most users have no idea what it is.
In the west, yes, it's absolutely prolific in Asia though. Even the most technologically illiterate people over there know and use qr codes all the time. A huge divide.
But it makes rather confusing on how to connect it on an e.g. laptop without having to scan the QR code with the mobile device first. If the password is 63-char length, typing it wouldn't be 'quick'.
There should be a laptop app which can import a QR code picture from a file. Most of the laptops also have a webcam nowadays, perhaps it could be used too.
I have an NFC card that contains the connection information with the QR code and plain text credentials taped to it. Even less devices support that, but when they do you don't even have to open an app. Just tap and you're in.
Very neat! However, IMHO 63 characters is a bit much for the password.
”If you use lower-case, upper-case, and digits, and if you generate it truly randomly, then a 16-character password has 95 bits of entropy. That is more than sufficient.”
A friend has a ~32 character camel case phrase as his WiFi password.. just a nightmare for people to type on their phones. iOS’s “share pass with contact” helps but every once in awhile someone has to spend 10 minutes trying to get a password to work. So silly.
A 63 character password with ten dictionary words is on average much easier to type than a 16 character random ASCII printable string, especially on phone keyboards.
Your math is off. Even if you take the 11-bit estimate (if you use something like diceware you get 13 bits), 10 words give you 110 bits. Meanwhile there are 95 ASCII printables, 16 of them give you a maximum of 105 bits, and usually people don’t use the full range (ambiguity, especially painful to type, etc.) & don’t generate a uniformly random string, which means you’re getting fewer than that. Even 95 is an optimistic estimate.
I said "might be", and someone might estimate a word to have 10 bits of entropy. And you previously said dictionary words, not random dictionary words, so a human choosing those words might choose words that relate to each other.
For those concerned about entering your network info into an online qr tool, some time ago I attempted a minimal JS and transparent site for generating these codes (https://github.com/jamsinclair/wifiqr).
Or I suppose just use the cli tools, as mentioned, for extra safety...
Arguably it is easier to verify that a webapp is not sending the data to a 3rd party, than it is to verify that the CLI tool doesn't (easy network inspection from the developer tools).
I don't think it is that problematic to put your WiFi credentials to a random website, since the possibility of the creator is a scammer AND lives near enough to you so it can exploits that fact is really small.
However sure, having the piece of mind that this will not happen may still make it more worth it do it yourself.
I have hereby been whooshed, though in my defense I have a guest-only, throttled and isolated wifi network so the potential for misuse didn't occur to me.
I have exactly the same. I don't want the entire world to use it though, as it still uses my broadband connection, which contains my external IPv4 address. I guess I should tunnel it over a VPN instead.
Did something similar for my roommates recently. We have no printer in our flat, so I grabbed a piece of graph paper, redrew the QR code and taped it onto the fridge. Now our guests can simply scan the picture instead of strenuously rewriting the complicated password.
What's the problem with using a long but humanly readable password, like several concatenated words? It's not like you are trying to protect against large scale attacks.
Remember to URL encode the SSID en PASSWORD if you have any characters that can't go into a URL. (Also, you have to trust Google to not store that URL anywhere)
This is interesting, however my main problem with really long Wi-Fi password are devices that have bad ways to input text. Things like media box using a remote controller or a video game console using it's controller.
WPS was born to fix this, however the specification is so broken that it is literally useless from a secure standpoint.
Or when you setup a new apple computer, you have to enter the wifi password without being able to see what you type, without being sure it is the right casing, and if you are not in the US without being sure you are using the right keyboard layout in the first place (the is no opportunity to type something else in a clear text box before that step).
When a friend tried to connect to a new network on their MacBook, a second friend with an iPad got a pop-up that such-and-such was attempting to connect to their network, and if they wanted to share connection details. One click and they were in.
On some devices it may be easier to enter a long password from a restricted character set than to enter a shorter password from a richer set.
For example, I've seen TVs that allow using a numeric keypad on the remote for entering digits in text and password fields, and require use of a clumsy on-screen keyboard for entering letters or punctuation. The on-screen keyboard is navigated with the up/down/left/right/ENTER buttons on the remote, and might have multiple shift states for case and punctuation requiring navigating to and pressing a shift key whenever the password has adjacent characters that need different shift states.
On such a TV, I'd rather enter a 39 character all numeric password than a 22 character alphanumeric password. Entering 39 characters on a hardware numeric keypad is way faster and way less error prone.
if the on-screen keyboard even has all the characters needed.
when we got new internet in our previous home i was forced to change our password that everyone had already set from previous use, because the new configuration interface didn't allow spaces. so i used underscores. then family visited and they had a tablet with a keyboard that didn't have underscores.
I can attest to the usefulness of this. I have a similar thing set up on my iPhone via the Shortcuts app and it's been quite nice to share my long password without worrying about the hassle of spelling it out. Here's the Shortcut, in case anyone wants to try it out: https://www.icloud.com/shortcuts/681b4f7b030543b79ab7de6afa3...
If you choose to put a WiFi password up on a sign as a QR code, do not post it in view of a window. Passers-by should not be able to connect to your network from outside your home or office. This advice also applies to plain text passwords posted on signs.
The Owlet baby monitor does this. When you need to connect it to WiFi you give the app the creds and then it generates a QR code. Then you hold it in front of the camera to scan.
A secure random WiFi password in a QR code is great for Android and iOS, and the laptops/desktops that can sync their password database with them over Bluetooth.
But what about all those other random WiFi devices? I don’t relish the thought of entering 63 characters into my printer’s goofy interface, a games console, my car, etc...
Every tesla car has a sim card and data connection that is used to connect to a vpn that high enough level engineers can use to run ssh commands directly on every tesla car at once or even target certain ones.
Once I noticed Android supported QR scanning to connect to WiFi natively, I started implementing this at my hotels - I wish all businesses did the same.
I do this in our house and it works great. I discovered one flaw though. When I say scan the QRCode I am immediately told “i don’t knows how” Or asked “the what?” Or disapproved of with “I hate those things.”
Fun fact no one has ever actually scanned the code... ever! Maybe if I was a cafe but not for house guests.
Instead of "scan" have you tried telling people to point their phone's camera at it?
"Scan" sounds to them like some separate action that they would need to know how to do. But at least on iOS all it takes is opening the camera and pointing it at the code - you get a pop up notification asking you to join the network.
I bet people know how to point the camera at something even if they don't think they know how to scan it.
233 comments
[ 3.5 ms ] story [ 263 ms ] threadIn WPA3 finally the no password ("guest") case has randomly chosen keys using RFC 8110 instead of being unencrypted, so it's equivalent security to everybody knowing the password.
I agree no password is the best outcome, and WPA3 makes that finally no more dangerous than it needs to be.
On another note I find it quite awkward that the feature is buried in that dialog on Android. You even need to tap on the network you want to connect to when that information is already in the qr code.
On my OnePlus 6T the scan QR code button [1] is next to 'Add network' so you don't have to select the Wi-Fi network first.
[1] https://i.imgur.com/qTicNpI.png
[1] https://9to5google.com/2019/03/13/android-q-wi-fi-sharing-qr...
[2] https://www.androidpolice.com/2019/09/12/every-new-android-1...
[3] https://www.androidpolice.com/2019/06/10/android-qs-wi-fi-ea...
[4] https://www.wi-fi.org/discover-wi-fi/wi-fi-easy-connect
https://play.google.com/store/apps/details?id=com.google.zxi...
If, for whatever reason, you wanted to do this with older iOS you had to use a configuration profile[2]. This would be distributed as a PList that you'd link to in the QR code. Which means the device needs to be connected to a network to download it first. A captive portal could help with that, or put it on the internet maybe protected with a geofence so you're not advertising your password to the world.
[1] https://github.com/zxing/zxing/wiki/Barcode-Contents#wi-fi-n...
[2] https://developer.apple.com/business/documentation/Configura...
When I use a third-party reader it shows that a password containing special characters really confuses this particular notation, since colons and semicolons are also used for field delimiters. Even if I escape them when passing the argument to qrencode, the parser app stumbles on them.
Update: Actually it works with the build-in Camera. Point to QR, it decodes it and shows SSID and password, there's a wifi icon button, and pressing that immediately connects.
Android 10 made som more specific features for this, such as automatically generating the QR code for others and scanning QR directly from the wifi settings.
The 3rd party application usually is just your bundled camera app.
Almost every manufacturer ships their own camera app so it is hard to know what features are present given a certain Android phone.
https://f-droid.org/en/packages/de.markusfisch.android.binar...
I have Android 8.1.0 (LineageOS 15.1), and a generic 'barcode reader' app (https://play.google.com/store/apps/details?id=com.google.zxi...) and it works just fine.
Open the barcode scanner app, scan QR code, and it says "Requesting access to network'
Bonus: I can also share my WiFi settings by opening a QR code on my phones display.
I put together a two-page PDF, page size about 4 inches by 6 inches. One side had the info for the main network; the other side had the info for the guest network. "the info" included the SSID, the password, and a large QR code.
I then sent the PDF to FedEx, printed on card stock, double-sided, and laminated, with instructions to cut the excess paper away before laminating. The result was a nicely-put-together "quick reference" card that my parents can use for whatever needed. If my parents get a new phone, putting it on WiFi is as simple as a QR-code scan.
I love QR code. I think it should be everywhere. All legal documents and forms should have one. All supermarket bills should have one.
It's a fantastic way to transition from paper to bits.
Unfortunately most users have no idea what it is. They don't know what a URL is, so a QR code is out of the question.
Plus they don't necessarily have a QR code scanner on their devices: not all phones have one by default, most laptops definitely don't. Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing. And even if all that is not a problem, your QRcode scanner may not be able to understand a particular format or will read the Wifi code but just display it while it's supposed to save it as a new access point.
It's definitely not a solved problem.
If I’m a spammer trying to get people to click on my bogus links in my email messages, why wouldn’t I also print those same URLs as QR codes and paste them around my city with creatively enticing titles.
But QR code are not just for URL, they can contain up to 7k, which is a lot for text and numbers. And you can have several of them, use compression, etc.
Have you never come across phishing scams that looked eerily authentic only to be clued in by the fake url? I can read the URL before going to the website, and unless QR codes have a step where you have to manually confirm going to the url provided by the code (most don't) then that's a security risk
Not that it matters much for most users, as I said earlier, they blindly type url. They have no idea what it is.
You could put a warning saying "are you sure, this is going to kill your mother and steal all your money" and people would click on it if it's easy to do.
Nothing.
Nothing deterred the users. Warning dialogs were clicked past, obvious problems or mismatched information was ignored. The only way to stop users from giving their credentials to bad guys was what I call Brick Wall UX. The browser has to stubbornly refuse to let you do it. Unable to complete their task the user at last gives up.
This is a teachable moment. Your users are probably not going to be smarter, better informed or more cautious at least on average than in this test.
You must have some super-human ability to read a computer's mind if you can grok the kind of urls that usually come in emails like https://tinyurl.com/uvc58uq
Of course, if the email actually has a unique URL per recipient, then doing this gives away the fact that you interacted with the email.
Users cannot check if a domain is "ok" by looking at it. You visit websites to discover what's there. A few years ago it was common knowledge that ".to" is shady and ".com" looks more legit. Now we have more TLDs than I can count. How is someone supposed to check that with visual inspection?
The way it should go: you scan a QR code. It gets interpreted into something useful that doesn't cause harm.
"Hey this QR would cause a 5€ transaction to Jon Doe. OK?" That's something the user can decide upon. payment://jon-doe:5€ doesn't help much.
(Edit: reading your post again, I realize it might be exactly what you have in mind)
Just compare with today's internet advertising. Legit websites are still full of somewhat malicious ads. And users click on it - of course, since that's what a website is for.
What I'm trying to make clear is that there is no such case where QR scanners, browsers or application may consider a safe context where the user implicitly consents with malicious actions by the QR/website/...
In a world where browsers are vulnerable to remote code execution, and a world where users do not run the latest version of a browser, and in a world where zero days exist in browers, it absolutely does matter.
Worked great for me on my last phone, and peace of mind knowing you aren’t being tracked.
Available to download on fdroid or the play store.
https://github.com/SecUSo
Parent was referencing trusted contexts: the default password printed on your wifi router, the bill a cashier just handed you for what you just bought, the legal papers you just signed, etc. The QR code just links the trusted document with trustworthy digital versions & extended content.
I'm not worried a spammer is going to get a bogus QR printed on the grocery store receipt I just received. I'm not going to scan QR codes printed & posted on subway walls for no apparent reason.
I was visiting a nature reserve where the trail opened to a resting area with some seats. A tree had a woodcut QR code on it, so I thought I'd scan it to find out more about the area.
Turns out, the QR code linked to some tracking site with a short URL. Even worse, the short URL had since been deleted, so I have no way to know the original URL it went to.
Also, as to something like a javascript exploit in a URL itself, QRs can hold a surprising amount of data, enough to max out most URL browser limits around 2,048 bytes.
This is functionally the same as hovering over links in emails, which is the context in which I made my comment.
Nope. I go to the sender's URL manually and look for what it is they sent an email about.
The cost and risk of putting a sticker on a wall is much greater that that of sending a spam email. Legitimate advertisers already hire people for >$0 to do that. Illegitimate ones risk personal criminal prosecution because they have to be physically present.
The qrencode tool has an 8 bit mode but not all decoders can handle binary data. For example, my phone shows me mangled results and I can't redirect them to a file. Like structured append, it doesn't seem to have much support.
I've sent patches to ZBar improving this:
https://github.com/mchehab/zbar/pull/64
Hopefully it will make QR codes more useful for storing keys and other small files.
Forms and legal documents should all have an immutable official url and uuid anyway to point to their legal and administrative context.
My back-of-the-envelope calculations say you'd need 61 bits per line on a receipt just to encode UPC, quantity and price. So the largest QR code would only allow 19-50 lines. And that's without including data like the store name, special offers, means of payment and so on. Believe me, plenty of people buy more than 50 items in their supermarket christmas shop :)
Standardised digital receipts would be neat but, QR codes encoding the data ain't the way to go about it.
[1] https://www.qrcode.com/en/about/version.html [2] https://commons.wikimedia.org/wiki/File:Qr-code-ver-40.svg
When the QR code is scanned, the browser opens to the URL, the remote side takes your "receipt ID", and presents you with a list of all the items you purchased.
I can't imagine any decent-sized retailer isn't already maintaining records like this.
That would be a neat way of exchanging a key.
If you use a crypto atm it will print out your wallet’s private and sometimes public keys as QR codes.
They are not generic QR codes, but encoded instructions to access specific in-app features in WeChat/AliPay. If you scan those special codes with generic QR readers, you get invalid URLs.
IMO this makes it even worse to use generic QR codes, because if a QR code cannot be parsed by WeChat/AliPay, most Chinese users do not know what to do with it.
You can use that if you wish, however there is an entirely separate and dedicated QR reader built into iOS that is accessible from control center. The icon to launch it is even a QR code which eliminates such “confusion”.
Interesting they added that when the camera app already scans QR codes. I wonder if it's an enterprise thing for devices in the field, where companies want to prevent the camera app (no photos), but need to scan codes.
In my opinion, the ability to use the native camera app to read a QR code significantly reduces the barriers-to-read for general users
Nowadays it seems anything that can do something FOR you usually does something TO you.
[1] https://developer.android.com/about/dashboards/
Source: https://www.androidpolice.com/2019/12/18/pornhub-does-what-g...
In the west, yes, it's absolutely prolific in Asia though. Even the most technologically illiterate people over there know and use qr codes all the time. A huge divide.
The ones you download from e-government in Turkey have QR codes. I think other e-documents have QR code too. You can validate them by using https://play.google.com/store/apps/details?id=tr.gov.turkiye...
But it makes rather confusing on how to connect it on an e.g. laptop without having to scan the QR code with the mobile device first. If the password is 63-char length, typing it wouldn't be 'quick'.
”If you use lower-case, upper-case, and digits, and if you generate it truly randomly, then a 16-character password has 95 bits of entropy. That is more than sufficient.”
Source: https://security.stackexchange.com/questions/15653/recommend...
It’s funny that friend goes to the effort of a super long password, but then lets people connect to it.
Or I suppose just use the cli tools, as mentioned, for extra safety...
Arguably it is easier to verify that a webapp is not sending the data to a 3rd party, than it is to verify that the CLI tool doesn't (easy network inspection from the developer tools).
However sure, having the piece of mind that this will not happen may still make it more worth it do it yourself.
Painted as in with a brush and paint, it was a bit of work, but now it's both pragmatic and pretty :)
If people want anonymous WiFi for nefarious purposes they can go to a cafe.
Who cares if my neighbors or people walking by can use it?
An it's not like I'm publicly advertising :)
https://chart.googleapis.com/chart?chs=120x120&cht=qr&chl=WI...
Remember to URL encode the SSID en PASSWORD if you have any characters that can't go into a URL. (Also, you have to trust Google to not store that URL anywhere)
You also have to trust Google to still be operating the service by the time you come to use it.
https://qifi.org/
(as do apple btw.)
[1] https://support.apple.com/en-us/HT202303
WPS was born to fix this, however the specification is so broken that it is literally useless from a secure standpoint.
Creepy, but convenient.
You have to be shared contacts, have Bluetooth and wireless on. There might be others that I don’t remember
https://www.zdnet.com/article/apples-awdl-protocol-plagued-b...
For example, I've seen TVs that allow using a numeric keypad on the remote for entering digits in text and password fields, and require use of a clumsy on-screen keyboard for entering letters or punctuation. The on-screen keyboard is navigated with the up/down/left/right/ENTER buttons on the remote, and might have multiple shift states for case and punctuation requiring navigating to and pressing a shift key whenever the password has adjacent characters that need different shift states.
On such a TV, I'd rather enter a 39 character all numeric password than a 22 character alphanumeric password. Entering 39 characters on a hardware numeric keypad is way faster and way less error prone.
when we got new internet in our previous home i was forced to change our password that everyone had already set from previous use, because the new configuration interface didn't allow spaces. so i used underscores. then family visited and they had a tablet with a keyboard that didn't have underscores.
Well that’s surprising and nice.
NFC stickers cost approximately nothing, and you can program them using an app on your phone.
But what about all those other random WiFi devices? I don’t relish the thought of entering 63 characters into my printer’s goofy interface, a games console, my car, etc...
You know nothing john snow.
Tesla already has a “Allow remote access” toggle, which defaults to OFF, that prevents you from connecting to it via the app etc.
(Whether this fully prevents Tesla connecting to it remotely, I’m not so sure...)
Fun fact no one has ever actually scanned the code... ever! Maybe if I was a cafe but not for house guests.
"Scan" sounds to them like some separate action that they would need to know how to do. But at least on iOS all it takes is opening the camera and pointing it at the code - you get a pop up notification asking you to join the network.
I bet people know how to point the camera at something even if they don't think they know how to scan it.
qr some text
https://duckduckgo.com/?q=qr+hi+there&ia=answer
I think I'll start using this a lot!