upvote

points

by devy14 hours ago |
comments
upvoteby xp8413 hours ago|
next
[-]
But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.

Not that I like this thing at all. But using a QR isn’t exactly why it sucks.

reply
upvoteby olyjohn10 hours ago|
parent|
[-]
It's a URL that you can't read. It's literally exactly what we tell people to not do to be secure. LOOK AT THE FUCKING URL BEFORE YOU VISIT THE SITE.
reply
upvoteby shye7 hours ago|
parent|
next
[-]
No, we don't, or shouldn't ask people to check the URL itself, because of homonym attacks are a thing. Goal is to make sure that your credentials can't be compromised by surfing the wrong website (e.g. by using Passkeys instead of passwords).
reply
upvoteby jeroenhd3 hours ago|
parent|
prev|
next
[-]
Right! Let me check the URL before clicking the "confirm your account" link!

https://rt434.mjt.lu/lnk/GN2PVLyAIiUHuMqkGcjHkjkcRBtF/zJfB7p...

Oh wait, never mind. I guess I won't be signing up for electricity, then?

Also, the vast majority of people don't know that google.com and loginto-google.com aren't the same website, or that google.com.securesigning.net isn't real Google.

If your device gets busted by opening a URL, without any further confirmation or user interaction, your browser/camera app/third party app is broken.

reply
upvoteby PeterStuer6 hours ago|
parent|
prev|
[-]
Whoever told you that is the same person that advocated complex password rules with montly resets and no repeats.
reply
upvoteby a212811 hours ago|
prev|
next
[-]
2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this
reply
upvoteby gwerbin8 hours ago|
parent|
[-]
Companies were doing this all along. The 2020s will be remembered as the decade when we realized, too late, that the world began ending in the 2010s.
reply
upvoteby classified4 hours ago|
prev|
next
[-]
Unregulated greed doesn't care if every user gets robbed and their identity stolen.
reply
upvoteby shit_game12 hours ago|
prev|
[-]
Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.
reply
upvoteby dunder_cat10 hours ago|
parent|
[-]
Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.

As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.

reply