 Julia Ford who is going to be talking to you about user interface security and homographs attacks Everybody thank you very much for coming to the talk. I know it's pretty late, but yeah We appreciate the fact that you guys made it So here's a quick intro about myself like my name is Julius as a Ford Director of professional services and partner at blaze for me security, but yeah, let's just move on make a quick intro About the talk so since the introduction of unicode in in in domain names So a series of security implications have like appeared came along as well So the presentation aims to discuss some security risks around Internationalized domain names and how applications such as browsers email clients and Like secure messengers as well. They fail to handle IDNs in a secure way and end up exposing users to unnecessary security risks and by making It very easier to for fishing attacks and visual spoofing to materialize So here's a quick agenda About the talk so we start presenting like speaking about Internationalized domain names how they work how they can be registered and so on and we move on to talk about homographs and And the associated security risks that come along with them and then we explore how user agents in this case like browsers And email clients and so on how do they react to? Homograph attacks and later also show some practical attacks against some of them And how we can also defend ourselves and then we're gonna end up like wrapping up the talk afterwards so yeah, now we're gonna speak about internationalized domain names and the emergence of The IDNs so essentially the internet was never designed to be multilingual. So it was created. Well mostly United States using ASCII characters. So that is like Latin characters and The main aims have always been confined to be Latin based characters as I just mentioned however, like there are billions of people that do not have Latin based languages as the first language and Kind of the way internet worked. I mean, it's actually mainly still works It somehow excludes the fact that like these people use What would like to use their own language their alphabet to well to express themselves well in the internet? and because of that like I can ended up coming with Resolution collect but it was like a version of of the internationalized domain names that it Ended up Giving a lot of support like this white support to to unicodes like this was like around some two decades ago And the support for unicode like because unicode it ended up on different languages That like say Cyrillic alphabet likes of Russian for some really old ancient European languages And so on so this is why like they decided to go with unicode for that But then we have a little technical problem when When winning like ended up implementing ideas And the main technical problem here is that DNS and like as you guys know very well DNS is like the some of the building blocks of the internet and it's only ASCII So it doesn't really speak unicode and because of that so they they come up like with a different Like way to make this glue And and the fact they come up with this Something called puny code. So puny code essentially converts Unicode to ASCII And then for example, it converts this emoji of this nice little call here WS Which by the way, this is actually a valid domain. This actually exists to X and dash dash and something else like that or OBB dot 80 which is the Train company from Austria. So this also gets translated into into puny code in order to DNS To actually work with that and then the user interfaces will do they use a friendly part of things and we'll convert back and forth and IDNs in unicode and so on are lots of things like this. There's like poop dot la. This is actually this actually also exists This is like a poop emoji And domain name We'll see later on like about some rules around that and or I love tacos. These also exist to again with an emoji or Completely full Cyrillic domains including even the top level domain which is by the way the full version version of Yandex and it's called also like a full IDN as we're going to see later on in the talk Yeah, as I said, actually it came much faster than I actually remember it. So this like partial IDNs So OBB dot AT which means that the there is some Internationalized the characters here like this O with the double thing on the top dot But the TLD is AT. So you use the Latin alphabet whereas we have This full IDN ones which in this case, I don't know Russian So I don't know how to pronounce that but this points to the Kremlin official website So now we're moving on to Homograph and talk about security risks and some considerations associated to it So Latin script, for example, it can represent more of variety of languages. It can represent for example Portuguese Spanish English like Italian French and a bunch more and Then Also, the fact that I would like to speak about is that different scripts. They share Numerous characters that either look exactly similar or have a very strong resemblance So what I wanted to explain here is for example, there are like some characters say a in Latin the Latin script that it has a very very strong resemblance to Something very similar in Cyrillic or in the Greek alphabet and other alphabets out there So and they are called confused by homographs as We can see here like the first Part of things like the number one is actually Latin and this is the unicode code point of it and the second one is the one in Cyrillic and Even if we zoom this a lot, it's very very hard to distinguish them from a visual standpoint There is also an O in Latin and there's this O with a horn Also in Latin so even the same language and the same script has some characters that they look alike a lot But yeah, I mean we're zooming in here a lot So you can see the actual horn in the O but with a very small screen and depending on the font this can be actually very hard to tell Also we have here P and P in or or something like that in Cyrillic like apologies for those that actually speak Russian. I probably Didn't really speak it properly There is also like and the list goes on and on like this is the most small C And in Coptic, which is I don't even know which language this Has something very similar And also in Cyrillic. So like you can go to like to graphemica Which is actually it's coming next slide. Yeah, so graphemica.com. There is pretty much like the whole list of Different unicode code points and symbols and so on and you can actually find Many of them that are confusable with Latin characters So now we're moving on speaking about user agents and Homograph attacks and how they handle it So font weatherization and visual spoofing is our next topic They're like a bunch of important factors that we're going to see in the next upcoming slides. So these attacks they are mostly They happen a lot because of few important factors So the way the font is actually rendered into display so display size font size and The all-player role in fooling the user actually into believing that Domain that he is visiting or clicking is not the legitimate one. So As we can see here like using the font Tahoma 68 point In Latin apple.com and there is using Apple with Cyrillic Confusable There is absolutely no way to distinguish this from visual standpoint So even if we use another font like book one old style 70 point We can see that there is a little thing off between the L and the The other L for Apple, which is actually not an L is it's just a capital I but in Cyrillic And there are other fonts that they actually do a better job at making these things Distinguishable as you can see here the one Cyrillic is pretty off So you can actually tell there is something dodgy is something fishy going on And this is actually Like well now we're talking about like a user agent. So in this case like secure messenger applications Wire for for desktop. This is like the example here and telegram So I zoomed in as well like some four hundred percent and you can see that in here like so Actually, I have to explain a few things before so I registered like here I think they used to be Nokia maps or something like that. So I registered like a Full homographic version of it in in Cyrillic for like as part of research for this talk So I was doing all these tests and so on with some of these domains that I actually owned And by the way, I'm actually happy to give them back to here Like if they're interested because all the research is pretty much gone by now. So, yeah, let's go back here So this is the legitimate one And the homograph one how wire renders them you can see that pretty much everything is exactly the same There is just something off in the R. But this is because we zoomed in a lot like four hundred Four hundred percent actually so like pretty much like five times as much And in telegram some characters as well like for example, the H is a bit off in this particular case But then we as we'll see later there are some characters that are completely indistinguishable to Yeah, so this is actually the telegram with iOS as well and wire So just yeah, let's move on with with this So essentially We were talking about this like as I mentioned there I can't have this resolution back in 20 years ago or so when they come up with it But then they realized that There were like a few flaws in the way they were actually allowing people to register domain. So Essentially it was possible to they they realized that all there is this confused about homograph thing And this actually can be a problem. So it means that people can register like Google Dot com with the Say the e that looks like the e from the one in Cyrillic and then that would be well That would be very complicated to actually slow down this attacks So in this run in these lines We are talking about some of the rules around the registration of homograph domains and they vary a lot depending on The top level domain resistor as well. So for example the dot net Dot com dot TV and so on they allows different scripts from many languages So you can see like well, it allows Portuguese Romanian Japanese Thai and all these characters for example, and a few others are more permissive like dot WS dot to I think dot La you can even come up with emojis even though I think if I'm not mistaking the RFC doesn't allow emojis to be there But well, it's not the first time that people don't really follow RFCs as they should And for example like dot Berlin Latin and Cyrillic scripts are only the ones that gets allowed. So some of top level domains They're actually a bit more restrictive than than than others So yeah, as I say like in the version one it allowed mixed scripts And then they realized well, this is actually a security problem And there will be a lot of trouble in the future with that and I think like up was 2000 Well, yeah a couple of years ago. There came up like a few other Versions of this resolution called mode version two and three that they disallowed mixed scripts However, pure scripts are still completely fine to register and now do we see here? So all these examples here like PayPal, Apple, Opera, and so on They're all homograph domains that actually could be registered because there was no way to stop from registering pure script Homographs and like in many hours list goes on and on and on So now we're gonna see some actual practical attacks Let's see how this is actually gonna build up into actual computer security problems so the practical attacks like the very first time this even before IDN was actually Reintroduced by econ and even before all these Internationalized domains were even a thing. So this was like back in 2001. The two Israeli researchers They said, oh, this is actually gonna be a security problem and the original paper is very interesting It's very short like only I think two or three pages and like I totally recommend the read to understand more about these issues But only lately. I think like the past couple of years, especially this year it has been picking up a lot and Fishing like all these fissures and other different or divorce areas are now notes in this and we are seeing a rise in such attacks Like I think it's also very important to speak briefly about some historical and recent bugs Related to homographs so firefox Like back in 2005 the guy from Eric Johansson from shimu group. He Filled in a ticket with within firefox like with the bugzilla Saying hey, like you guys are not doing anything to prevent such attacks. This was actually Unfortunately taken as a p3 importance bug even though I think it should be it's actually definitely something That should be higher. But like so this was like a visual spoofing that URL bar that we're gonna see some of this a Bit later down the talk Recently there have been like a few CVs like one for safari that this letter Called doom it was interpreted exactly as like this like a Latin letter from well some some language that nobody Probably really speaks any more but still like is in the script of Latin script And then it was rendered by safari was just purely rendered as a D instead of this doom also just recently in 2019 There was one K in Cyrillic that was interpreted at actually actual K in in Aski And there was also this research by well, I don't know I cannot speak the guy's name. I'm sorry That he also found like different Affirmabilites in the way chrome firefox and and a few other browsers I think opera as well how they reacted to to these kind of problems and and and as a response Chrome at least came up with an improvement in the algorithm to detect this Confusable and like it's probably like the best one that you have these days And like again like there are a few tickets open in the bugzilla of our fox Treated is a p3 importance again, whereas chrome treat as p1 and as top browser is also based on firefox You know firefox it means that is also vulnerable and unfortunately I don't know why but people from top browser They could just go and fix this thing but they claim that they are waiting for chrome I'm sorry for firefox To know what they're gonna do in upstream in order to finally fix it. I don't think is actually for acceptable Excuse but anyways just my personal opinion So, yeah, the way browsers handle IDN's so after this homographic attacks that were published by by this Chinese Research into 2017 chrome stepped up the game Big time like mad props for that And then firefox also top browser still like lagging behind But yeah, like The way that they handle IDN's chrome is actually probably has a has a very complex policy That seems to do very well like to prevent in these attacks opera and brave. I think they follow the same The same algorithm does chrome when I was doing tests. That's what it seemed to me at least Internet Explorer surprisingly was never really vulnerable to this thing Like this is probably the only class of bugs. Internet Explorer was never vulnerable to Whereas firefox and top browser is still are still lagging behind as I just mentioned So now moving on to email client and web mails. So this is what I call it's backstabbing friend So for the sake of user friendliness Some what web mails and some email clients they convert that puny code that we just saw like X and Dash-dash and some weird order characters Back into unicode like to make it user friendly But very often there are no checks for confusable For confusable characters. They are not made. So as we're gonna see here now with there's an example There's hush mail. So hush mail is like a secure mail provider and If you really really zoom You're gonna see like this is actually a domain that I own as well It's kind of like a part of this research of this IDN homograph Facebook with the Something on top of the K. So if you just see like in your in your computer, like it's as if like there is some dirt on your screen That's it. You would just Just pass as looks to you as Facebook.com and this actually goes straight into your inbox doesn't get flagged by Anti-spam or or anything or at least not with hush mail and with a few other services that that I tested Include some big ones that I won't finally cannot really speak about now because they have not fixed it yet also there is Those you actually even assigned the CVE recently in round cube. So again, I Use it my domain here.com. There's like the x and dash dash something if I send an email to anyone using round cube In round cube, we just convert it back to make it user friendly And it will appear as if it comes from here.com again No checks and nothing else. I mean, it's actually round cube is doing exactly what supposed to deliver email So it would just go straight into your inbox But then from a visual standpoint, you're gonna you can essentially spoof the domain name where this comes from and now this Well, how signal handle this there's also assigned the CV early this year. So signal both from For Android and Windows were vulnerable to this. So if you see here, can you spot the fake URL? There is actually no way to tell from a visual standpoint signal for iOS for I don't know why but it made the fact the link That was homograph Unclickable. So like that's great for iOS. It didn't work. But for the other versions, they were actually vulnerable Telegram as well had had the same issue and telegram actually you went even as far as making that, you know, that quick preview of This website so using the fake one so you can you could really make pull off like a real Very convincing phishing attacks with that. So Let's just like talk about actually a quick demo here with the homograph attacks with signal and tor browser I hope the video, all right Yeah So by the way, these issues were fixed by signal a couple of months back Also, actually telegram fixed it for a while But it seems that they just reintroduced it when I was checking things for the talk this week And it seems like it went back. So some regression was not really done properly. But yeah, let's see the video here The attack. So, yeah, there's a fake link of apple.com Total legit you can click And then the URL bar. There is no way to tell Oh have to oh, sorry how to do that. I don't know. All right. Sorry about that guys So, yeah back here to the video Yeah, it's like fake apple. Yeah, the URL bar would just play apple and so on And and tor browser is still vulnerable to this both like the mobile version and in the in the desktop version So let's back to All right, I don't know how to use my own computer and like I don't know where That's actually shameful I need some help again I don't I don't know to the Oh, yeah, I need some help again. Sorry about that So, yeah talking all about this hacking and everything but yeah, like some basic stuff in the computer can I do that's pretty shameful All right, so as we just saw like these issues here And now I think like it's very important to talk about like how to defend yourself Um You know honestly like for browsers perfectly just use google chrome like they are the ones actually putting an effort in preventing such attacks And well, and also many other security Relevant stuff that crumb does so it's really worth it using it There are like a few extensions developed by third parties like fish dot ai is one of them That also prevents and detect some attacks. I believe there are other other extensions too That that will pretty much do the same For firefox you can actually turn off The whole thing was showing puny code to true. So it means that you will never show again all this The unicode thing it would just show the actual puny code of it Uh for email like a formally tested outlook proto mail to tonalta, uh, and are they're fine Uh, all the popular ones not so much as we just saw hush mail and there are like a few other Especially web mail providers That they have not Done any any work yet on this even though like some of them I actually Reported this hey, I think it's a problem some of them replied some of them not some of them is lower than others to fix things Uh, and then again, this is like crumb just introduced it. I think like a month a month and a half ago So basically crumb has a list of the hundred like 10,000 most visited websites And it will actually do some sort of work to the tech like oh looks like somebody's trying to pull off an on-home graph attack against against github And are you sure you want to go to github.com or to this thing that's dodgy and somebody's trying to fix you And also from a defense perspective Uh From the sorry from the human eye perspective There were like a proposal that never really took off that they wanted to Have different colors in the letters that are not latin Alphabet so I mean the ones that are latin confusable This never really took off like it probably not that great from from a user Interface and user experience point of view and I think that's why it never really picked up momentum There are a few developer. Sorry, uh application developers There are like a few libraries that they check for confusable So they would just do part of this of the heavyweight of for you And now we are wrapping up the talk So essentially uh confusable homographs that have been a look around for a while as we saw Since well some 20 years or so since the pretty much the very introduction Of internationalized domain names by a time But very little has been discussed around them and they're very frequently overlooked And these issues are not really part of threat model for many applications As they are very often considered social engineering. So actually good luck for for you If you're trying to submit something like this for bug bounty program, many of them will say hey, this is social engineering attack It's out of scope for for my program But actually some of the secure messages I actually got a bounty from one of them that I didn't really mention here because Well, it's part of we cannot really speak about it that It's part of the bug bounty program, but I think was the only one That actually gave a small reward for for this kind of issue Even though in the very beginning they said it's not a security it's not a security issue Because they're doing exactly what they're supposed to do is to display links But yeah, if you explain link of google and when they click there it takes you somewhere else Oh, it's probably something off and Ultimately, I think application security teams they can do much more have been proactive In preventing these threats like for example, google chrome is actually doing a pretty good job with that Not only now recently Showing the user this interface to the user. Hey, are you sure you're going to the correct website and also improving their algorithms to show the domain names And whereas like in many other softwares are not actually doing it instead of Asking for users to be Like vigilant and please don't click on bad links or stuff like that. It's just not really an option Or even worse waiting for icon to come up with the magic solution for the problem I believe I remember that one of these secure messengers When I report this issue to them They said well, this is also not a problem because we are doing exactly what we're supposed to do display links And this is a problem with icon and registrars. We have like trying to shift the blame No, it's actually it's not their fault. It's actually the fact that you're not really doing this thing correctly And here are like a few references About the about this research. I really recommend reading them up if you're interested And yeah, thank you very much Still question time now Thank you for the talk Do we have any questions from the room here? Are the internet? Nope Wow This is really amazing. So this I hope I explained everything so well. There's no questions left Yeah, it kind of seems like that. There are no questions unanswered on this amazing topic Okay, great Then we'll wrap it up and call it a night and thank you very much and give him one more warm hand and