tag:blogger.com,1999:blog-3993498847203183398.post3473069941045400638..comments2024-03-28T09:19:27.451+00:00Comments on RevK<sup>®</sup>'s ramblings: How not to QR (NHS COVID-19 App)RevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-3993498847203183398.post-20740839843353756272020-10-24T20:02:13.688+01:002020-10-24T20:02:13.688+01:00I have written up my own frustrations as an issue ...I have written up my own frustrations as an issue here https://github.com/nhsx/covid-19-app-android-ag-public/issues/34 and linked to this blog.moritonalnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-66565619114026523302020-10-20T21:18:37.977+01:002020-10-20T21:18:37.977+01:00It turns out the signing verification was actually...It turns out the signing verification was actually broken on Android anyway initially, making it even more pointless: https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/Alexhttps://www.blogger.com/profile/13535977952530779134noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-32861261384122155042020-10-14T22:29:14.390+01:002020-10-14T22:29:14.390+01:00Rev, thanks for the deep-detailed analysis. I too ...Rev, thanks for the deep-detailed analysis. I too was GEEKING OUT over those super dense QR codes? What are they scanning... aircraft engine parts? <br /><br />I suggest the use of the ECDSA/ES256 signature was in response to data privacy fears. Although built on New Zealand's tried and tested system, the English and Welsh signed implementation yields a tiny payload for an oversized signature bloat. btw nowhere online I could find an official specification for the UK QR codes, only reversed engineered hacks.<br /><br />JSON web signatures have always been a 'thing' that Microsoft pushes, but no-one else can understand why it's better than everything else that does signing? Almost all people who do data for a living would have kept the gross payload simple; the blocks would be big enough to scan under those reflective plastic sheets that most venues keep their (photocopied) A4 posters under. Isn't that what testing in-the-wild was all about? <br /><br />Your point about the waistfull use of BASE64URL is the most serious. It's a critical flaw that takes the edge off of this "world beating" track and trace system. But on a project that had already spent millions of pounds delivering another I.T. failure, the new inner circle would have had no desire to expose their source code to peer review; as they did on Github with the version 1-or-2 Beta. <br /><br />So why not not put that NHS QR code inside a rainbow? Just a thought.<br /><br />Stay safe.<br /><br />Andy @ tier3Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-35336069127004166282020-10-12T09:47:13.546+01:002020-10-12T09:47:13.546+01:00Thanks so much for this analysis. I became curious...Thanks so much for this analysis. I became curious about why the code was so long when at a pub yesterday - we noticed people having to stand back to get the whole code in view, and also some people couldn't scan it at all because of a shadow (they had to move the poster in the end). I wasn't at all surprised to see it just seems to be a case of the same old "government IT project" syndromeTimhttps://www.blogger.com/profile/10146197597440775147noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-14000555541307148862020-10-07T13:15:37.495+01:002020-10-07T13:15:37.495+01:00Is there a UKC19Tracing app for windows (.exe) or ...Is there a UKC19Tracing app for windows (.exe) or Mac OS (package or disc image)curioushttps://www.blogger.com/profile/14704626539468018616noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-25917739248694547382020-10-07T13:14:21.187+01:002020-10-07T13:14:21.187+01:00Is there a UKC19Tracing app for windows or Mac OS?...Is there a UKC19Tracing app for windows or Mac OS?curioushttps://www.blogger.com/profile/14704626539468018616noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-75502133021431442602020-09-27T17:45:38.884+01:002020-09-27T17:45:38.884+01:00I did just this at a NT place today!
Held up my ph...I did just this at a NT place today!<br />Held up my phone for camera to read it, said got it, clicked the pop up (got the string of code), kept walking, cancelled it all!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-36812135967401544992020-09-26T18:08:55.398+01:002020-09-26T18:08:55.398+01:00QR can hold UTF-8 directly with the right ECI head...QR can hold UTF-8 directly with the right ECI header. They manage a hieroglyph dick :)RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-26911639776235511312020-09-26T18:07:12.875+01:002020-09-26T18:07:12.875+01:00Not much clue on base64 encoding either; he thinks...Not much clue on base64 encoding either; he thinks it is a compression... it is actually an expansion. It makes it 25% bigger! Might be required to encode some Welsh (or Maori) names. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-14962163126161332652020-09-25T21:36:24.191+01:002020-09-25T21:36:24.191+01:00You seem to be missing a lot of points. Just a few...You seem to be missing a lot of points. Just a few to answer quickly...<br /><br />URL can have # so not sent<br />Time is not issue, getting barcode in view and low res cameras can be, as is where you can put it (eg Costa have their small barcodes on small notices on the tables as well)<br />Validity as per the specification for QR codes. These do not actually meet the specification.<br />Common sense and instructions differing is the issue<br />Signing has nothing to do with needing Internet to check!<br />Copying codes has nothing to do with Bluetooth working, it is one reason signing is a tad silly<br />Unique locations could still be done in a much smaller/ simpler code<br />Signing does not mean there are not “scams” (what few scams could be done)<br />As for tech support, if someone that is struggling at the front of a queue then staff will try to help.<br />You can absolutely not clue on UX, clearly.<br /><br />But thanks for your comments.<br />RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-86169912755858691302020-09-25T20:34:55.686+01:002020-09-25T20:34:55.686+01:00=So whats wrong=
"requires the app installed ...=So whats wrong=<br />"requires the app installed first"<br /> it requires the app is because of privacy. If it was a url, they can't prove<br /> they don't store the data<br />"the qr code is too big/dense"<br /> QR codes have EC, but they can be read in the same time anyway<br />"poor choice of QR encoding options"<br /> EC means its easier to read<br />"too dense/base64 coded json"<br /> There is no need for compression its so small<br />"signing data is pointless"<br /> (see below.)<br />"encoding simple data in JSON"<br /> Why not, and its easier<br />"you have to use the gov website"<br /> So they can sign it, you can request multiple codes anyway, venues are<br /> registered<br />"its not valid"<br /> QR codes don't have a validity check. there is protocol (it even uses)<br /> but thats not important<br />"you get a different venue code"<br /> Well, they are *different venues*, you can correlate data yourself<br /> (it's public which venues are dangerous)<br />"scan it as soon as you get it"<br /> This is common sense. Have it ready for when it releases,so they can use it<br />"its hard to search for it"<br /> That's not NHS' fault, its Itunes' fault<br />"its thrown together with very little actual thought"<br /> its shown that theres thought, i.e. signing for safety, EC for ease of use,<br /> not using internet<br /> They took time to address the privacy concerns<br />"every waiter expected to provide tech support"<br /> You can't do that in the next lockdown<br /> Common sense, no one would ask that from a waiter<br /> You can go to the nhs website<br />=make it more user friendly=<br />"built in camera"<br /> its not hard to install an app<br />"signing is daft"<br /> It's not daft. It means the app doesn't need internet to check it. It means<br /> there aren't scams. It means you don't have to worry.<br /> Again, it's not much denser, and its barely harder to scan a large QR code<br />"you can copy a code"<br /> bluetooth tracking still works properly...<br />"smaller"<br /> so they can have unique locations in the same postcode<br /> density is not a problem<br />=is that app ok=<br />"does not explain"<br /> why not sign them, plus they dont need that in the blog, it says the<br /> process...fhwbhttps://www.blogger.com/profile/10372380879737564389noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-4586294915776110942020-09-25T14:20:29.328+01:002020-09-25T14:20:29.328+01:00What problem did they think they were solving with...What problem did they think they were solving with the signature? Sounds like they don't know what they're doing (I mean no surprise there).<br /><br />I wonder where else this particular key is used.Janhttp://jasiek.menoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-72407227553930117922020-09-21T12:37:58.859+01:002020-09-21T12:37:58.859+01:00Presumably because your Egyptian penis is allowed,...Presumably because your Egyptian penis is allowed, all the standard URL exploits for homographs or spaces would also work so you could do a more high-tech version of D0wning Street to either work against a competitor or spread your business's risk.Peter Nnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-68693978911295414222020-09-19T14:26:26.293+01:002020-09-19T14:26:26.293+01:00It doesn't even require that, as far as I can ...It doesn't even require that, as far as I can tell.<br /><br />There's a requirement to display a QR code, a requirement to request details if someone doesn't scan a QR code (eg. no smartphone) but no requirement on the person entering the store to scan the code or give these details, it's still only a request.<br /><br />But if the store didn't want to let you in without it (which they might, even though the law doesn't compel them to) you could indeed scan the QR code with the builtin one in the phone and be perfectly compliant also.Tony Hoylehttps://www.blogger.com/profile/06485210895681350152noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-53900164936692169192020-09-19T13:03:19.945+01:002020-09-19T13:03:19.945+01:00It looks like they started with the NZ scheme, som...It looks like they started with the NZ scheme, some of their press photos feature a QR code with the NZCOVIDTRACER: prefix but this design is their own. The NZ ones aren't using JWS.ppiixxhttps://www.blogger.com/profile/11379117381602539696noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-14828544980957126622020-09-19T13:01:13.649+01:002020-09-19T13:01:13.649+01:00Interestingly the law requires people to scan the ...Interestingly the law requires people to scan the QR code but not to install the app. So legally you can scan it with the normal barcode reader, do nothing with the data and then not give your details.EKhttps://www.blogger.com/profile/16642300266876170838noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-30429713562985166282020-09-19T11:35:37.425+01:002020-09-19T11:35:37.425+01:00It looks like they used the QR code from the New Z...It looks like they used the QR code from the New Zealand app developed by a company "rush digital" rather than from scratch looking at the architecture diagram.<br />aardgoosehttps://www.blogger.com/profile/06537379861437670966noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-59938123199431376182020-09-19T08:38:54.400+01:002020-09-19T08:38:54.400+01:00Thanks; interesting stuff and good points made.
T...Thanks; interesting stuff and good points made.<br /><br />The NCSC link you have at the end is for the previous (now defunct) NHSX app.<br /><br />Happily there's an NCSC post about the new one too, which also mentions the QR codes:<br /><br /><a href="https://www.ncsc.gov.uk/blog-post/nhs-test-and-trace-app-security-redux" rel="nofollow">https://www.ncsc.gov.uk/blog-post/nhs-test-and-trace-app-security-redux</a><br /><br />(As an aside, it's quite instructive to compare the arguments used previously with the ones used now.)David Llewellyn-Joneshttps://www.flypig.co.uknoreply@blogger.com