Comment by xp84
14 hours ago
But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.
Not that I like this thing at all. But using a QR isn’t exactly why it sucks.
14 hours ago
But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.
Not that I like this thing at all. But using a QR isn’t exactly why it sucks.
It's a URL that you can't read. It's literally exactly what we tell people to not do to be secure. LOOK AT THE FUCKING URL BEFORE YOU VISIT THE SITE.
No, we don't, or shouldn't ask people to check the URL itself, because of homonym attacks are a thing. Goal is to make sure that your credentials can't be compromised by surfing the wrong website (e.g. by using Passkeys instead of passwords).
Right! Let me check the URL before clicking the "confirm your account" link!
https://rt434.mjt.lu/lnk/GN2PVLyAIiUHuMqkGcjHkjkcRBtF/zJfB7p...
Oh wait, never mind. I guess I won't be signing up for electricity, then?
Also, the vast majority of people don't know that google.com and loginto-google.com aren't the same website, or that google.com.securesigning.net isn't real Google.
If your device gets busted by opening a URL, without any further confirmation or user interaction, your browser/camera app/third party app is broken.
Whoever told you that is the same person that advocated complex password rules with montly resets and no repeats.