All Software Engineers learn - at some point in their career - Sometimes smaller teams are more powerful than larger teams.
top of page
- Aug 1, 2020
- 4 min read
ACME has received calls from QR Code creators who are realizing that there are many QR code generators out there on the internet which don't even encrypt their web based QR code creation pages, using only http instead of https protocol. This security vulnerability of these other QR code generators creates a significant risk for people using them to create their QR codes.
Some QR Code generator services are even forced into un-secure transmission by their local government.
ACME has consistently supported SSL (https) based API (specifically our service at https://api.acme.codes) for almost 5 years; it was one of the first things we implemented. Given that sensitive financial information can be put into a QR code (bank account numbers or bitcoin for example), we considered this an absolute requirement for our client's needs.
'But wait' you say, 'Why is privacy needed for the information in a QR code if the point of the QR code is to share information publicly?'
Many people associate QR codes with their first encounter of them, which is usually a public place to easily attain public information.
However, QR codes can also be used to efficiently share information between two people conducting private commerce. In some cases this information can be as shareable as a URL to a bank account deposit portal, where there is little risk for the public sharing of the information within the QR code. In other cases the information is very private, such as bank withdrawal keys for payments from a specific bank account, or even bitcoin - digital 'real' currency. QR codes can contain the digital equivalent of cash, and if you wave such a QR code around too carelessly, you can lose your digital cash even more easily than if you waved around traditional cash, as happened notoriously in 2013. It's important to note in the 2013 case that the issue was not the QR code itself - the medium - but the responsible handling of its exposure and information in it. If you have currency - digital or physical cash - that currency by definition must be easily transferable, so you need to be responsible about handling it. If you leave cash out on the sidewalk, people will take it, and no one blames the medium of ink-on-paper for that result. So if you carelessly expose your private QR code containing digital cash, it's similarly not logical to blame QR codes for that loss.
If you are making QR codes, ACME recommends that you consider the following points when evaluating a QR code generator or creation service. This is especially true for 'free' standard QR codes or QR codes containing information meant to be shared privately.
Make sure your QR code generator has history. Use a known or established QR code generation service. Don't just grab a free app that has a few thousand downloads, or a web page that came up at the top of your search. ACME has been providing QR code services since 2015.
Make sure QR code generator encrypts your information. More specifically, look for affirmation that the QR code generator service you're using is encrypted over https. This can be as simple as having your browser signal security with a 'lock' icon next to the site. In rare cases even this can be misleading if the SSL certificate is self-signed or nearing expiration, or if your browser does not protect you well enough from mixed protocol pages. If in doubt, ask for confirmation from technical staff that you personally trust. ACME's API for QR code generation is over secure SSL and always will be.
Make sure the nationality of the provided service is known. Ask yourself if the country of origin has a government you trust. Many governments in the world have very low or even non existent protections for individuals wanting privacy from state run operations - justified or not. In other cases some QR Code generators can be hosted by entities working in the gray area of local laws, or even outside of them. ACME QR Codes are American made and have had established operations from Glendale California since our firm started in 2015.
Make sure the people scanning your QR code are protected. QR code creation and target links can be under secure SSL, but in the end, the scanning audience has to own some responsibility for determining if the QR code comes from a valid source. Many consider this user evaluation of a QR code to be the weak link in the security chain. The problem is similar to 'the last mile' encountered with phone and cable companies or even deliveries; where tremendously expensive infrastructure gets your information or products safely around the country relatively easily, but making the connection to the final end user is oftentimes the most difficult to execute properly. You can help out the people scanning your QR codes with this: consider purchasing an animated QR code from ACME. Unlike standard QR codes, ACME's animated QR Codes are fundamentally difficult to falsify or alter, and very easy for people to personally authenticate that they are in fact the QR codes you made for them.
bottom of page