like, if I send the QR code to someone I want to talk to via email, anyone intercepting this message will at the very least know my SimpleX address; same thing if I send it via messenger.
edit: let’s assume we don’t have an established and trusted channel. furthermore, they’re not expecting this info.
You can encrypt your message using something like gpg or age
Well, there’s not much they can do with the QR code. You can deactivate it as soon as you’ve made contact and established proof of identity with the recipient.
But, if it was really important, there are cryptographic key-exchange protocols you can do even over an insecure connection. The Diffie-Hellman key exchange is one of them. Using something like that, you can derive a shared secret key even if someone’s listening.
But personally, I would just break it into two parts, and send one by email and one with pastebin’s “burn-after-read” option.
Send the address and delete it after you’ve verified that the recipient is in your simplex contacts. You can verify via security code. You’ll know when they use the link. Delete the address afterwards.
QR code in the mail along with a digital verification
You don’t have to encrypt the message, simply observing it won’t compromise security. You only need to ensure that the channel is 1) authenticated (that is, you know who you send to) 2) cannot MITM you (that is, replace the link). MITM can be mitigated with security code verification via yet another channel, but SimpleX relays cannot MITM key exchange (unlike any centralised service).
Maybe ask them to establish private (end to end encrypted - E2EE) communication channel by using PGP or ask them to use the service like proton.me which has E2EE mail. If they know some answer to your question, you can send them link to an password protected paste at https://bin.disroot.org
