conference logo

Playlist "Chaos Communication Camp 2019"

What you see is not what you get - when homographs attack

Julio

This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target.

Since the introduction of Unicode in domain names (known as Internationalized Domain Names, or simply IDN) by ICANN
over two decades ago, a series of brand new security implications were also brought into light together with the
possibility of registering domain names using different alphabets and Unicode characters.

This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target.

Historical security issues related to Unicode and confusable homographs, as well as other attack vectors not discovered by the author will also be explored in this presentation.