QR codes have been with us for a long time now, and after passing through their Gardenesque hype cycle of inappropriate usage, have now settled down to be an important and ubiquitous part of life. If you have ever made a QR code you’ll know all about trying to generate the most compact and easily-scannable one you can, and for that [Terence Eden] is here with an interesting quirk. Upper-case text produces smaller codes than lower-case.
His post takes us on a journey into the encoding of QR codes, not in terms of their optical pattern generation, but instead the bit stream they contain. There are different modes to denote different types of payload, and in his two examples of the same URL in upper- and lower- cases, the modes are different. Upper-case is encoded as alphanumeric, while lower-case, seemingly though also containing alphanumeric information, is encoded as bytes.
To understand why, it’s necessary to consider the QR codes’ need for efficiency, which led its designers to reduce their character set as far as possible and only define uppercase letters in their alphanumeric set. The upper-case payload is thus encoded using less bits per character than the lower-case one, which is encoded as 8-bit bytes. A satisfying explanation for a puzzle in plain sight.
Hungry for more QR hackery? This one contains more than one payload!
Humanity couldn’t standardize on a binary format which would be the smallest..
Well… Yes, and no.
One is smaller, the other isn’t missing a bunch of letters. Different modes for different use cases.
That is … interesting. The domain portion of URLs is not case sensitive, but the path name often is case-sensitive.
There is quite a lot to qr codes and the best resource is in my opinion Nayuki’s step by step guide – which I learned about on hackaday, of course. https://hackaday.com/2018/11/05/a-qr-code-step-by-step/
It’s too bad, because the average URL has fewer uppercase letters than lowercase.
QR codes, unfortunately, need to go; at least in their current form. They are a security risk.
how ?
They are no more of a security risk than any other link on the internet. or printed URL. You should use an application that doesn’t preload the URL before you have made a decision to follow it.
Unfortunately they are a security risk.
It is not difficult to stick a replacement QR code over a previously printed one and have people scan it and, unfortunately, follow the instructions. By supporting QR Codes without providing any way to validate they are legitimate they are a security risk.
QR code hijacking has been used to steal funds from people without technical skills, and probably even a few with skills.
You being a savvy user and able to validate the URL is as expected is great, for you, but doesn’t negate the types of risks QR Codes create.
How is that any riskier than someone sticking a storename.org URL over a storename.com URL?
Because a URL is human readable, a QR is not. QR code use has gotten normalized to the extent that non-tech savvy folks will just scan them, assuming that they’re legit. Sure you can decode them, but on what planet exactly do the non-techies ever do that?
Because a QR code can contain a punycode storename.com that looks 100% legit. Or even just a misspelling that’s hard to spot.
Both you’re protected against when typing URLs.
I like this example: https://upnorthlive.com/news/local/scammers-target-traverse-city-parking-meters-with-fake-qr-codes-officials-urge-caution
Gardenesque? Gartneresque!
This will not help at all with businesses that put a 1″ QR code with a ridiculously long URL. I wonder that some non flagship phone cameras can even resolve the QR.
So shouting to get on the internet is okay.
QR codes without the author present are a hard no-go. The trust is never with the code but only the one who presents it. That leaves a very limited amount of valid use cases:
In app cross authorization and WiFi access posters inside homes and businesses are the only that come to mind.
Nobody see QR codes for what they really are: a way to enter information into the mobile phone without typing it. Therefore they are not dangerous by themselves, but because they allow you to make a mistake easier and faster. All you have to do to prevent this is to deny all access to resources (internet mainly) to the QR reader app. This way the basic function is retained and upon seeing the url you can decide what do to.
And please stop pointing “non tech people” as victims to scams. Teach them how to properly use QR codes. Is like telling them not to go in bad neighbourhoods so they will not get robbed. Or not to open emails from unknown sources and not to click unknown links whithout checking them. If they don’t listen, if they don’t apply simple logic, they’ll pay for their mistake. But not because they are not knowledgeable in technology.
Yet from the darkest corners of the internet you hear howling urls written in unicode characters looking like normal ascii, but they are not the same, thus the link take you to an inexisting ikea shop that will empty your account. What you will do when you’ll meet such a trap with a succulent “sale” for the item you keep checking for the last 6 months?
Click? Click!
Yep. I realize I won’t let my phone ever see one. Plain text only, I will search it first seeing what else pops up below. There should be both clearly marked text which you can photograph and get to later safely.
The UPC barcode will be retired soon for these cubic crypto’s. So you will have to update your fridge scanner if you have one.
An easy way to make your QR code smaller is to simply refrain from putting a polluting graphic in the middle of it. (You can then choose a lower checksum level, and still get good results with a smaller code block.)