Skip to main content
Information Security

Timeline for answer to What are the preferred ways to exchange public keys physically? by QuestionablePresence

Current License: CC BY-SA 4.0

Post Revisions

8 events
when toggle format what by license comment
Apr 28, 2025 at 7:15 comment added Matthieu M. @fraxinus: I considered that. But for key exchange you'd likely want a specific application anyway -- one which allows registering who is associated with the key -- at which point the default behavior of QR code reader apps no longer matters.
Apr 27, 2025 at 17:45 comment added fraxinus @MatthieuM. bad news here. A lot of QR code readers automatically feed the decoded message in your default browser if it looks somewhat like URL. While not the same as running native code in your system, it is still an attack vector.
Apr 27, 2025 at 16:11 comment added Matthieu M. @fraxinus: Also, the QR code is not executable. There's no auto-boot or equivalent feature.
Apr 27, 2025 at 10:09 comment added fraxinus The QR code has the very important (in this context) property of giving a visual clue about the amount of information it carries. This mitigates a whole lot of possible risks, e.g. exploiting some vulnerability in the key processing path. There is simply no much space to cram the exploit code in (I am not saying that this is not at all possible, it is just WAY harder than e.g. a modern flash drive of GB-range size).
Apr 25, 2025 at 16:31 comment added Bergi Is there a preferred way/scheme of encoding public keys?
Apr 25, 2025 at 13:26 comment added Themoonisacheese for what it's worth, a version 40 QR code with low data correction (perhaps not really a desired quality here) can hold 23,648 bits.
Apr 25, 2025 at 12:23 comment added DonQuiKong This already exists in some e2e encrypted messengers, you can scan someone's qr code to make sure it's the right person.
Apr 25, 2025 at 8:42 history answered QuestionablePresence CC BY-SA 4.0