Most ISP put this kind of QR code on the provided "modem" in France with the default Wifi password of the device.
I love QR code. I think it should be everywhere. All legal documents and forms should have one. All supermarket bills should have one.
It's a fantastic way to transition from paper to bits.
Unfortunately most users have no idea what it is. They don't know what a URL is, so a QR code is out of the question.
Plus they don't necessarily have a QR code scanner on their devices: not all phones have one by default, most laptops definitely don't. Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing. And even if all that is not a problem, your QRcode scanner may not be able to understand a particular format or will read the Wifi code but just display it while it's supposed to save it as a new access point.
Are you not concerned that QR code’s are just completely opaque URLs asking to be clicked? Do you confidently click on URLs in spam emails? Of course not since we all know URLs can point to malicious payloads. So why should we love QR code’s that could just as easily do the same.
If I’m a spammer trying to get people to click on my bogus links in my email messages, why wouldn’t I also print those same URLs as QR codes and paste them around my city with creatively enticing titles.
Do you never click URLs in emails? Of course you do, when you're confident the sender is reputable.
Parent was referencing trusted contexts: the default password printed on your wifi router, the bill a cashier just handed you for what you just bought, the legal papers you just signed, etc. The QR code just links the trusted document with trustworthy digital versions & extended content.
I'm not worried a spammer is going to get a bogus QR printed on the grocery store receipt I just received. I'm not going to scan QR codes printed & posted on subway walls for no apparent reason.
I was visiting a nature reserve where the trail opened to a resting area with some seats. A tree had a woodcut QR code on it, so I thought I'd scan it to find out more about the area.
Turns out, the QR code linked to some tracking site with a short URL. Even worse, the short URL had since been deleted, so I have no way to know the original URL it went to.
Also, as to something like a javascript exploit in a URL itself, QRs can hold a surprising amount of data, enough to max out most URL browser limits around 2,048 bytes.
At least bitly lets you look before you keep. Add a + to the end of any bitly URL to see where it goes, when it was created, and how many peole clicked it.
The QR scanning app that I use displays the URL so I can check if it looks okay, but most of them are abbreviated using services like bit.ly, so that doesn't help much. You'd have to have a UI that lets the user step through several redirections, but that would probably confuse people.
You're shifting responsibility from developers to the users. If reading a QR code triggers a bank transaction, that's an issue with the QR scanner and the banking application.
Users cannot check if a domain is "ok" by looking at it. You visit websites to discover what's there. A few years ago it was common knowledge that ".to" is shady and ".com" looks more legit. Now we have more TLDs than I can count. How is someone supposed to check that with visual inspection?
The way it should go: you scan a QR code. It gets interpreted into something useful that doesn't cause harm.
"Hey this QR would cause a 5€ transaction to Jon Doe. OK?" That's something the user can decide upon. payment://jon-doe:5€ doesn't help much.
(Edit: reading your post again, I realize it might be exactly what you have in mind)
I was mostly thinking about URLs in untrusted contexts, like maybe from an ad you see on the street, that you want to screen by hand against malicious intent; not so much about things like your banking app example, which should always have some kind of confirmation anyway.
It really shouldn't matter to the browser what URL you enter. Maybe it's not the page you're looking for. But opening a website itself should cause no harm.
Just compare with today's internet advertising. Legit websites are still full of somewhat malicious ads. And users click on it - of course, since that's what a website is for.
What I'm trying to make clear is that there is no such case where QR scanners, browsers or application may consider a safe context where the user implicitly consents with malicious actions by the QR/website/...
> It really shouldn't matter to the browser what URL you enter.
In a world where browsers are vulnerable to remote code execution, and a world where users do not run the latest version of a browser, and in a world where zero days exist in browers, it absolutely does matter.
No more than regular url written in a paper. People write them blindly anyway, they don't know what it means nor how to read it.
But QR code are not just for URL, they can contain up to 7k, which is a lot for text and numbers. And you can have several of them, use compression, etc.
Because urls have letters & words in english that I can read and determine if the website is authentic or not as opposed to QR code that no human can read?
Have you never come across phishing scams that looked eerily authentic only to be clued in by the fake url? I can read the URL before going to the website, and unless QR codes have a step where you have to manually confirm going to the url provided by the code (most don't) then that's a security risk
Qr code readers show you the url, you have push a button to navigate to it. So it's no different than having it copied manually.
Not that it matters much for most users, as I said earlier, they blindly type url. They have no idea what it is.
You could put a warning saying "are you sure, this is going to kill your mother and steal all your money" and people would click on it if it's easy to do.
Microsoft did that research. Well, they didn't propose to kill anybody's mother but the test participants used their real bank credentials and Microsoft tested different behaviours in IE to see what would deter users from giving these credentials to a bogus site having accepted a task to log in and perform some basic operation.
Nothing.
Nothing deterred the users. Warning dialogs were clicked past, obvious problems or mismatched information was ignored. The only way to stop users from giving their credentials to bad guys was what I call Brick Wall UX. The browser has to stubbornly refuse to let you do it. Unable to complete their task the user at last gives up.
This is a teachable moment. Your users are probably not going to be smarter, better informed or more cautious at least on average than in this test.
This sounds like something which should be continuously tested, as a litmus test as to how careful people are. I don't suppose you have a link or pointed search terms for this instance?
Because urls have letters & words in english that I can read and determine if the website is authentic
You must have some super-human ability to read a computer's mind if you can grok the kind of urls that usually come in emails like https://tinyurl.com/uvc58uq
You can see what the tinyurl redirect destination URL is (value of Location response header) without also requesting that URL. Not with a typical browser configuration, but with curl or some hosted solution delivering this functionality.
Of course, if the email actually has a unique URL per recipient, then doing this gives away the fact that you interacted with the email.
Clicking a link can't infect your computer with a virus anymore. As long as any vulnerabilities in QR scanner apps are reliably patched, it should be just as safe as clicking a link. There are zero-days, but that risk exists any time you're connected to the internet anyway.
The cost and risk of putting a sticker on a wall is much greater that that of sending a spam email. Legitimate advertisers already hire people for >$0 to do that. Illegitimate ones risk personal criminal prosecution because they have to be physically present.
plenty of scanners allow you to decode a code & show the url or whatever is encoded in it without opening the link & give you options so I wouldn't be concerned at all.
They can’t be used to encode very much data though. They wouldn’t be suitable for storing documents, but could be used to store the location of a document. I was trying to be clever once and thought I could encode X.509 certificates in QR codes. Even that much data was pushing the hard limits of what they can store, and became very hard to scan (I quickly realised this wasn’t actually very clever).
The largest QR code in the standard, "version 40" - can only store 3 kilobytes at the lowest level of error correction and 1.2 kilobytes at the highest level [1]. And that's a pretty huge QR code [2]
My back-of-the-envelope calculations say you'd need 61 bits per line on a receipt just to encode UPC, quantity and price. So the largest QR code would only allow 19-50 lines. And that's without including data like the store name, special offers, means of payment and so on. Believe me, plenty of people buy more than 50 items in their supermarket christmas shop :)
Standardised digital receipts would be neat but, QR codes encoding the data ain't the way to go about it.
Seems like the obvious thing would be to have the QR code contain a "receipt ID" (UUID?) in a URL.
When the QR code is scanned, the browser opens to the URL, the remote side takes your "receipt ID", and presents you with a list of all the items you purchased.
I can't imagine any decent-sized retailer isn't already maintaining records like this.
See, one of the useful properties of a paper receipt is that, once you receive it, you can be fairly confident about the ~one way you're going to lose it
1.2 kilobytes = 9.6 kilobits. If you need 61 bits per line, you’ve got enough bits for 157 lines. 393 lines if we go with 3 kilobytes. I think you may have used 61 bytes per line in your calculation rather than 61 bits.
4K is around the point where some devices will start to have issues scanning. Also, crypto wallets won’t usually give you the private key, instead they’ll give you the 12 word BIP39 seed phrase which will be around 70-80 bytes.
Even without the key they start to look pretty dense. You can definitely fit one in a QR code, they just start to become less reliable to scan (especially on cheap devices), and they go from looking nice to looking quite ugly. Technically most X.509 certs would have been within the limitations of QR codes (though I don’t think there is an upper bound to how large they can get), but I realized it just wasn’t fit for purpose and moved on to something else.
Are you using 8 bit encoding? An alphanumeric mode QR code containing base 64 encoded data provides less capacity. In binary mode even a 4096 bit RSA secret key fits while ECC keys produce smaller codes.
The qrencode tool has an 8 bit mode but not all decoders can handle binary data. For example, my phone shows me mangled results and I can't redirect them to a file. Like structured append, it doesn't seem to have much support.
Yes.. I had made a form that was scanned and all the metadata for the page was stored in datamatrix at the bottom.. With a laser printer and a good scanner you can reliably put a lot of data in there...
> Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing.
You can use that if you wish, however there is an entirely separate and dedicated QR reader built into iOS that is accessible from control center. The icon to launch it is even a QR code which eliminates such “confusion”.
Huh, I had no idea there was a dedicated QR reader "app", since it's not a default icon (you have to add it from within Settings), and there's no actual app. But it's there!
Interesting they added that when the camera app already scans QR codes. I wonder if it's an enterprise thing for devices in the field, where companies want to prevent the camera app (no photos), but need to scan codes.
They are not generic QR codes, but encoded instructions to access specific in-app features in WeChat/AliPay. If you scan those special codes with generic QR readers, you get invalid URLs.
IMO this makes it even worse to use generic QR codes, because if a QR code cannot be parsed by WeChat/AliPay, most Chinese users do not know what to do with it.
Current Android WiFi list has a dedicated QR Code button next to it, so it should become more accessible in half a year when most people are on Android 10
This data [1] from google is a bit old (from May 2019), but shows about 10% on Android 9, and maybe a third on Android 8+; to get 50%+ (the common interpretation of most) you're looking at Android 7+, and that was released three years before the stats. Maybe, if uptake of 10 is as good as 7+, we'll see most people on Android being able to use this in 2022.
Project Trebble made a huge difference, and Android 9, which is one year old, is already at 48% market share. This is so much faster than older Android upgrades before it.
Stats from different places are going to show different trends. Google's stats are a lot closer to all of the Android market than PornHub's. It's unfortunate that Google is slow to update. But it might be interesting to look at trends in PornHub's data, if they provide it over multiple years.
> Unfortunately most users have no idea what it is.
In the west, yes, it's absolutely prolific in Asia though. Even the most technologically illiterate people over there know and use qr codes all the time. A huge divide.
You either use URL or custom app to scan Qrcode. You can't encode arbitrary data and expect universal reader being able to interpret it. And URL is actually good way to store small amounts of data, because you can launch web app to handle it and it's compatible with any device.
I love QR code. I think it should be everywhere. All legal documents and forms should have one. All supermarket bills should have one.
It's a fantastic way to transition from paper to bits.
Unfortunately most users have no idea what it is. They don't know what a URL is, so a QR code is out of the question.
Plus they don't necessarily have a QR code scanner on their devices: not all phones have one by default, most laptops definitely don't. Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing. And even if all that is not a problem, your QRcode scanner may not be able to understand a particular format or will read the Wifi code but just display it while it's supposed to save it as a new access point.
It's definitely not a solved problem.