Can you explain more what you're thinking here? I don't see how that would solve anything.
QR codes generally are just a bit of data, like a link to a website. If I cover up an existing QR code with my own link to my own website... what would a signature do to help here?
Even if the original QR code had the link printed on it, do you think someone reaching for their 3rd beer would even notice it?
Humans are not conditioned (yet) to validate QR codes. We scan them without thinking twice. Phishing is pretty sophisticated and it is easy to duplicate a website.
This is an authorization issue. You need a signing authority of some kind to verify the QR code.
A literal JWT (JSON Web Token) could be used, but a binary format could save TONS of space (30-50% smaller) which matters for a QR code.
QR would contain: binary data, datetime it was issued, QR creator ID, URL of signing authority (or a code from an approved list of authorities representing a know URL), a code for the algorithm used, and a signature that signs everything else.
When a user scans the QR, the software recognizes that it uses authorization mode.
It looks up the signing authority based on the ISO code for that authority and sends an API request for the public key sending the datetime and creator ID.
The signing authority returns the public key based on company and time (or a message if the private key has been revoked. If the key checks out, the user visits the URL.
All of this would take a fraction of a second and be entirely transparent to the user (barring revoked permissions or the signature being incorrect).
What prevents me from just signing my own QR code though? I could register a very similar domain, sign it, make it look all official and then siphon funds.
A third party could revoke my signature, but then we are dependent on that third party for everything, which isn't ideal either.
This is the difference between a self-signed SSL cert and one that is issued by a trusted company.
An argument in trusting trust is meaningless. The whole point is that they can be trusted. If you don't believe you can trust them, then nothing is going to change that.
The goal isn't to make such scams impossible, but instead to make them too risky and expensive.
If you're going to do a scam like that on a business level, there's a lot of logistics involved. A mom and pop shop isn't going to be a suitable target, so you're going to be targeting a franchise where you can easily move operations to reduce costs. You have to spend a bunch of time building out a fake website. You have to put multiple boots on the ground to go around changing hundreds of QR codes to improve hit rates.
QR certification means you have to create a new business to apply that makes a paper trail. Creating something very close to an actual franchise is also going to run the risk of setting off alarm bells and getting busted by the FBI. It doesn't make this scam impossible, but adds a big enough hurdle to reduce profitability and increase risk to the point where there are easier scams to pull off.
The other kind of attack is one-off scammers hoping to trap people. In this "QRL" certification scheme (sorry for the bad pun), their scam would never get off the ground because it wasn't certified.
> If you're going to do a scam like that on a business level, there's a lot of logistics involved. A mom and pop shop isn't going to be a suitable target, so you're going to be targeting a franchise where you can easily move operations to reduce costs. You have to spend a bunch of time building out a fake website. You have to put multiple boots on the ground to go around changing hundreds of QR codes to improve hit rates.
Yea, this happens already. For example, the finance department at my company was recently phished for a significant amount of funds. How? Someone broke into the payment company that issues the invoices for a company that we use and got their customer list and then started phishing all their clients.
They emailed my finance department, said the account number had changed, even used the same bank, and got us to send a payment for an invoice to that new account. Bank happily paid them out. Nuts. Now we have to try to claw the money back, but I don't think we can get it without long legal proceedings against the bank. Imagine though, having the balls to open a bank account after having broken into a company.
The people in the finance department felt awful and surprised that this could even happen to them. Since then, they've now increased the security 1000x and require voice verification and what not...
My point is, just like you say, you can't trust the trust. The only way this would have worked is if QR codes could only be generated by a trusted third party for all QR codes. Even still, it wouldn't work because I could fake the trusted third party.
You have a nice dream, and it gets me thinking that a "LetsEncrypt for QR codes" might be an interesting business service, but it would require a huge amount of convincing people to use you as well as marketing dollars to get the word out. I still don't think it'll stop everything.
