We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

What you see is not what you get - when homographs attack

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
7
 Cite
 Share
 Related Material
 Download Purchase
Logo of Chaos Computer Club e.V.Chaos Computer Club e.V.
 Fort, Julio Cesar

Formal Metadata

Title
What you see is not what you get - when homographs attack
Title of Series
Number of Parts
102
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target. Since the introduction of Unicode in domain names (known as Internationalized Domain Names, or simply IDN) by ICANN over two decades ago, a series of brand new security implications were also brought into light together with the possibility of registering domain names using different alphabets and Unicode characters. This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target. Historical security issues related to Unicode and confusable homographs, as well as other attack vectors not discovered by the author will also be explored in this presentation.
00:00
Chaos (cosmogony)TelecommunicationUser interfaceInformation securityComputer architectureRoboticsService (economics)JSONXMLLecture/Conference
00:37
Service (economics)InformationInformation securityDomain nameSeries (mathematics)UnicodeExecution unitInternetworkingLatin squareFormal languagePresentation of a groupInternationalization and localizationEmailService (economics)Identity managementVisualization (computer graphics)Formal languageWeb browserCartesian coordinate systemInformation securityDomain nameSeries (mathematics)InternetworkingLatin squareClient (computing)Thomas BayesGraph (mathematics)Arithmetic meanState of matterImage resolutionRevision controlUniform resource locatorModal logicGraph (mathematics)CASE <Informatik>FamilyComputer animation
02:49
Time evolutionImage resolutionRevision controlUnicodeExecution unitDomain nameASCIICodeAlgorithmInternetworkingRevision controlUser interfaceMereologyBlock (periodic table)Domain nameRule of inferenceSpeech synthesisUsabilityUnicodeDifferent (Kate Ryan album)Computer clusterWave packetOrder (biology)Direct numerical simulationBuildingLevel (video gaming)Formal languagePersonal identification numberAlphabet (computer science)System callExecution unitGroup actionMeeting/Interview
05:23
Partial derivativePoint (geometry)Domain nameTorusField (computer science)Physical lawWebsiteCASE <Informatik>Point (geometry)JSONComputer animation
05:51
Execution unitInformation securityLatin squareScripting languageDifferent (Kate Ryan album)Similarity (geometry)FaktorenanalyseComputer fontVolumenvisualisierungElectronic visual displayRegular graphFormal languageScripting languageNumberPoint (geometry)CodeElectronic mailing listDifferent (Kate Ryan album)Latin squareDomain nameAlphabet (computer science)MereologyComputer fontProcess (computing)Information securitySpeech synthesisVisualization (computer graphics)Slide ruleElectronic visual displayCartesian coordinate systemRevision controlMappingSoftware testingDivisorSymbol tableMaizeVolumenvisualisierungGoodness of fitCASE <Informatik>Execution unitUnicodeGraph (mathematics)Proper mapMountain passDemoscenePhysical lawEndliche ModelltheorieTwitterForm (programming)Identical particles1 (number)Machine visionOrder (biology)Dependent and independent variablesComa BerenicesSource code
10:43
Product (business)Revision controlClient (computing)BitoutputImage resolutionWeb pageCASE <Informatik>Multiplication sign
11:39
Rule of inferenceMaizeLatin squareScripting languageImage registrationDomain nameExecution unitImage warpingWeb browserGoogle ChromeExtension (kinesiology)Graphical user interfaceEmailSoftware developerPerspective (visual)CodeUnicodeSocial engineering (security)Data modelInformation securityScale (map)World Wide Web ConsortiumAgreeablenessClient (computing)Information securityNeuroinformatikGraphical user interfaceMultiplication signWeb pageWeb browserAlgorithmReading (process)Image registrationDomain nameElectronic mailing listClient (computing)DeterminismWeb 2.0PhishingInternetworkingSoftware bugBookmark (World Wide Web)EmailBitOrder (biology)CodeGame theorySocial classVulnerability (computing)Open setRevision controlScripting languageImage resolutionRule of inferenceLatin square1 (number)GoogolFormal languageUsabilityComa BerenicesProcess (computing)Key (cryptography)Level (video gaming)Lie groupFrustrationPhysical lawCoefficient of variationDifferent (Kate Ryan album)Direction (geometry)MaizeWater vaporGraph (mathematics)FamilySpeech synthesis19 (number)Dependent and independent variablesGroup actionField (computer science)
18:51
Email1 (number)MereologyComa BerenicesService (economics)FacebookDomain nameUsabilityCuboidCubeProgramming languagePoint (geometry)Musical ensembleTouchscreenRoundness (object)Graph (mathematics)
20:14
Android (robot)Mobile appWindowLink (knot theory)Graph (mathematics)Vulnerability (computing)Android (robot)Revision controloutput
20:49
Web browserWebsiteGraph (mathematics)Demo (music)JSON
21:17
Linear regressionVideoconferencingReading (process)Proper mapComputer animationLecture/Conference
21:46
System callHoaxComa BerenicesLink (knot theory)Bookmark (World Wide Web)VideoconferencingWeb browserRevision controlProcess (computing)NeuroinformatikComputer animation
22:41
NeuroinformatikOnline helpGraphical user interfaceGoogolWeb browserHacker (term)Solid geometryLecture/Conference
23:10
Web browserGoogle ChromeExtension (kinesiology)Graphical user interfaceEmailWeb 2.0Email1 (number)Information securityExtension (kinesiology)CodePhishingGraphical user interfaceMereologyFamilyWater vaporInternet service providerWebsiteOrder (biology)UnicodeComa BerenicesElectronic mailing list
24:37
Web browserGoogle ChromeControl flowGraphical user interfaceElectronic mailing listQuicksortPerspective (visual)
25:02
Software developerPerspective (visual)UnicodeCodeExecution unitSocial engineering (security)Data modelInformation securityMessage passingComputer programmingLink (knot theory)Spring (hydrology)Decision theoryMereologyGraph (mathematics)Electronic visual displayGroup actionGraphical user interfaceArithmetic meanInformation securityLibrary (computing)WeightPoint (geometry)Office suiteView (database)MomentumComputer configurationPerspective (visual)Software developerProcess (computing)Interface (computing)WebsiteAlgorithmCartesian coordinate systemSocial engineering (security)GoogolDomain nameInternationalization and localizationGraph coloring1 (number)Endliche ModelltheorieSoftwareSession Initiation ProtocolSoftware bugUser interface
28:09
Scale (map)Domain nameMultiplication signView (database)Computer animationLecture/Conference
28:32
Lecture/ConferenceMeeting/Interview
29:03
Lecture/ConferenceJSONComputer animation
Transcript: English(auto-generated)