QR 码隐私:安全地生成和扫描二维码

QR codes are now everywhere you look — restaurant menus, street posters, business cards, payment terminals, you see them just about anywhere. But the content they can encode within them in fact goes well beyond merely a simple URL. Figuring out exactly what is hidden inside a QR code before you go scanning it, and learning to generate your own QR codes safely, is precisely what can genuinely protect you from all manner of tracking and phishing attacks.

为什么 QR 码需要谨慎对待

QR 码只是一段机器可读的字符串——通常是一个网址,但也可能是 WiFi 密码、vCard 联系人或支付数据。这使它很容易被滥用:贴在真实码上的一张贴纸,就能把你引向一个仿冒你银行的钓鱼网站,而大多数在线生成器都会把你编码的任何内容(包括 WiFi 密码)记录在它们的服务器上。本指南涵盖如何安全地扫描和生成 QR 码。(关于 QR 码承载哪些信息、以及生成器如何追踪扫描,详见 QR 码隐私的 Learn 文章。)

四步安全使用 QR 码

  • 1Before scanning any QR code of unknown origin, be sure to use a QR scanner that can show you the full URL behind it in its entirety before it actually opens the link. Keep firmly in mind: never let a QR code automatically jump to the browser without confirmation — you must always first see clearly and verify exactly what the final destination address it points to really is.
  • 2Try to generate QR codes locally wherever possible. PrivaQR creates QR codes entirely within your local browser — the data you want to encode (whether it is a URL, contact information, or a Wi-Fi password) never leaves your device for an instant from beginning to end. For QR codes that contain sensitive content, this point is, you could say, absolutely critical and not open to compromise.
  • 3For important use cases (such as business cards, Wi-Fi sharing, or accepting payments), be sure to use a static QR code that you yourself can personally verify and reproduce again at any time. Try to steer clear of those third-party dynamic QR services that route through their own servers, because the final destination of that sort of QR code can at any time, without your knowledge, be arbitrarily changed or deactivated and invalidated by the provider.
  • 4生成后,在打印或分发之前,用两款不同的扫描器应用测试这个码——并定期重新检查那些长期使用的码(在标识牌、名片、菜单上),以确认它们仍指向你想要的位置、且未被篡改。

QR 码安全技巧

Be especially suspicious and on guard about those suspicious QR codes in public spaces that look as though they have been deliberately stuck over and covering an existing QR code — this is a fairly common physical-world phishing attack technique that you need to guard against carefully. For Wi-Fi QR codes (which directly encode your password in plain text within the pattern of that QR code), share them only with people you trust, and if you are worried about the scope of their spread and circulation becoming too wide, then afterward promptly change the relevant Wi-Fi password to be on the safe side. When sharing personal contact information by way of a QR code, consider encoding only the non-sensitive fields (such as your name and website), rather than taking the easy route and cramming your full phone number and home address all in there as well. In addition, get into the good habit of checking regularly to confirm that the QR codes you have previously printed out or shared still point accurately and without error to the correct destination address.

私密地生成 QR 码——不向服务器发送任何数据

Try PrivaQR
为何重要 — 隐私风险二维码隐私:在线生成器的隐藏风险