[TimothyBJacobs]

They’re saying that an attacker would register variations of similar looking domains relying on the OCR misreading the correct URL. They aren’t suggesting that an attacker would paste the invalid URL in real life menus.

[dheera]

The whole point of QR codes is to paste URLs in real life. For non-real-life use cases even QR codes are unnecessary and people would just use links. For that, yes, typo-squatting and phishing are issues.

I'm suggesting that for real life we could just use URLs and OCR instead of QR codes.

[jraph]

> I'm suggesting that for real life we could just use URLs and OCR

No, because that's not reliable, and way more complicated and error-prone.

It's the same reason bar codes are used instead of directly the id they code.

Your earlier solution doesn't convince me. It's interesting, but not practical, and reading the URL should work even if internet is off or the server is down.

(Having a checksum next to the URL may start making OCR practical though)