What you see is not what you get - when homographs attack

Julio

Playlists: 'camp2019' videos starting here / audio / related events

This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target.

Since the introduction of Unicode in domain names (known as Internationalized Domain Names, or simply IDN) by ICANN
over two decades ago, a series of brand new security implications were also brought into light together with the
possibility of registering domain names using different alphabets and Unicode characters.

This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target.

Historical security issues related to Unicode and confusable homographs, as well as other attack vectors not discovered by the author will also be explored in this presentation.

Download

These files contain multiple languages.

This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.

Please look for "audio tracks" in your desktop video player.

Related

Embed

Share:

Tags