Comic Strips

15109 readers

3682 users here now

Comic Strips is a community for those who love comic stories.

The rules are simple:

The post can be a single image, an image gallery, or a link to a specific comic hosted on another site (the author's website, for instance).
The comic must be a complete story.
If it is an external link, it must be to a specific story, not to the root of the site.
You may post comics from others or your own.
If you are posting a comic of your own, a maximum of one per week is allowed (I know, your comics are great, but this rule helps avoid spam).
The comic can be in any language, but if it's not in English, OP must include an English translation in the post's 'body' field (note: you don't need to select a specific language when posting a comic).
Politeness.
Adult content is not allowed. This community aims to be fun for people of all ages.

Web of links

!linuxmemes@lemmy.world: "I use Arch btw"
!memes@lemmy.world: memes (you don't say!)

founded 2 years ago

MODERATORS

lawrence@lemmy.world

432

Quishing (discuss.tchncs.de)

submitted 1 day ago by noerdman@discuss.tchncs.de to c/comicstrips@lemmy.world

46 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] baggins@lemmy.ca 50 points 1 day ago* (last edited 1 day ago) (23 children)

How would you make an arbitrary QR code have a verifiable signature?

[–] Asetru@feddit.org 8 points 1 day ago (8 children)

If you're running a public service, you should have a key that's trusted by a CA anyway. So why couldn't you, especially for qr codes that link to an https site, embed a signature in that qr code that verifies that the person that owns parkyourcar.com's private key also created the code you just scanned? Just like signed pdfs?

[–] themoonisacheese@sh.itjust.works 20 points 1 day ago (7 children)

Okay and what happens when I overwrite that qr code with one that points to downloadvirus.com? How is a client supposed to know that the qr code isn't supposed to be here?

[–] Bilaketari@reddthat.com 0 points 14 hours ago (2 children)

Well, because it won't be signed by a trusted CA for that task. Like if CAs had a category of certificate issuance that applied here (the standardisation issue) then it would be easy to spot a fake (which wouldn't be correctly signed). Alternatively, you could take the European approach of having everything government related (like public street parking, though Europe mostly uses apps for that, not signed QR codes) rely on government entities and those in turn on a national set of government CAs.

[–] Aux@feddit.uk 1 points 9 hours ago (1 children)

That doesn't make any sense. How would you know if something should or should not be signed? You wouldn't.

[–] Bilaketari@reddthat.com 1 points 2 hours ago (1 children)

If it becomes standard for public parking to be signed, everyone would know. If payment QR codes in general start being signed, your payment app might even know. Lastly there could even be signage by the code to help novices.

[–] Aux@feddit.uk 1 points 2 hours ago (1 children)

The point of a code is to not have an app in the first place. Thus there's no way to validate it.

[–] Bilaketari@reddthat.com 1 points 1 hour ago

It wouldn't need a separate app if, for instance, a standard QR payment format way created. If you just want a link to a website to pay, then naturally that would be less secure, but you could always put the URL below the QR code for redundancy (QR would only save time typing then).

[–] themoonisacheese@sh.itjust.works 1 points 9 hours ago (1 children)

Very cool. Why would anyone use qr codes then? When you can just write a url and that's free

[–] Bilaketari@reddthat.com 1 points 2 hours ago

QR codes are mostly meant to let you get an amount of info (they're mostly text-based) without having to type or enter it manually when you might make mistakes or when the process is just faster for the amount of text involved.

load more comments (4 replies)

load more comments (18 replies)