I still hate them not because I don't see the value in having an object that could be detected by a camera and then translated into a link somewhere else or contain some bit of machine translatable information. I absolutely see value in that part of it but the problem is I also see that it is a blind Black box that has zero trust established with it that you're asking me to click on.
With covid and everyone being afraid to touch stuff, besides their grimy dirty phone, restaurants started sticking these everywhere for you to get their menu. Okay that's great but how do I know the difference between your legitimate menu and a rogue QR code somebody slapped over top of it. It's like the problem of credit card skimmers magnified 100,000 times because it's so much easier.
Without some textual representation of what it is supposed to be telling me, which could be easily contained as part of the area surrounding the QR code, which would provide a minimal level of trust I cannot trust what is being presented to me. So without some facility of trust built into it, which there isn't any and effectively can't be in the current iteration, I will avoid them like the plague in most situations.
I understand where you're coming from. I think you're implicitly assuming that once you scan a QR code, your phone automatically opens that URL.
That is a faulty assumption. There's nothing stopping someone from designing a QR code scanner app that simply displays the text (or URL) that was scanned, and gives you the option to open it in a web browser or not.
A QR code is ultimately just a piece of text. It can't harm you if you don't choose to execute it.
> how do I know the difference between your legitimate menu and a rogue QR code somebody slapped over top of it
If someone slapped a rogue QR code on a menu, you would be able to see that it's a sticker on top of paper (or laminated paper). On the other hand, how would you tell if someone just replicated the restaurant's menu and reprinted it in whole?
Anyway, if you want real trust, then the business should publish its cryptographic public key in a conspicuous place in such a way to avoid tampering (e.g. encased in glass in a wall), and then all QR codes will need to be digitally signed by that business before the customer trusts it.
I still hate them not because I don't see the value in having an object that could be detected by a camera and then translated into a link somewhere else or contain some bit of machine translatable information. I absolutely see value in that part of it but the problem is I also see that it is a blind Black box that has zero trust established with it that you're asking me to click on.
With covid and everyone being afraid to touch stuff, besides their grimy dirty phone, restaurants started sticking these everywhere for you to get their menu. Okay that's great but how do I know the difference between your legitimate menu and a rogue QR code somebody slapped over top of it. It's like the problem of credit card skimmers magnified 100,000 times because it's so much easier.
Without some textual representation of what it is supposed to be telling me, which could be easily contained as part of the area surrounding the QR code, which would provide a minimal level of trust I cannot trust what is being presented to me. So without some facility of trust built into it, which there isn't any and effectively can't be in the current iteration, I will avoid them like the plague in most situations.
I understand where you're coming from. I think you're implicitly assuming that once you scan a QR code, your phone automatically opens that URL.
That is a faulty assumption. There's nothing stopping someone from designing a QR code scanner app that simply displays the text (or URL) that was scanned, and gives you the option to open it in a web browser or not.
A QR code is ultimately just a piece of text. It can't harm you if you don't choose to execute it.
> how do I know the difference between your legitimate menu and a rogue QR code somebody slapped over top of it
If someone slapped a rogue QR code on a menu, you would be able to see that it's a sticker on top of paper (or laminated paper). On the other hand, how would you tell if someone just replicated the restaurant's menu and reprinted it in whole?
Anyway, if you want real trust, then the business should publish its cryptographic public key in a conspicuous place in such a way to avoid tampering (e.g. encased in glass in a wall), and then all QR codes will need to be digitally signed by that business before the customer trusts it.
the scanner in my browser and the others that scan generic ones are showing the url before opening it.
They show a partial url usually and often times they are a shortened url from a shortening service. So that's still not solving the problem.
Shortened ones are a clear sign that something is off if its an url from a common shortening service. The domainname is also useful.