Internationalized Domain Names… and its possible bad uses

Presented at BalCCon2k22 - Loading (2022), Sept. 25, 2022, 1:50 p.m. (40 minutes).

Internationalized Domain Names, or IDNs, exist for a good reason : ASCII is not the only alphabet in the world. But could IDNs be exploited to lure users on bad websites? We'll go through DNS and IDNs naming history, past exploitations of homograph attacks, some attacks I've done, and ways to protect you against homograph attacks. Plan of the presentation (subjected to change): Domain names - A bit of history - What is IDN? - Punycode? Let’s play a game :) In the wild - Some historical examples of IDN squatting in the wild - What about bad guys? - A bad idea later... my funny IDN squatting - Consequences How to patch/protec/prevent?

Presenters:

• fladnaG
  Independent Pentester and Teacher in Cybersecurity and sysadmin since 2017, located in Marseille, south of France. Topics of interest: Cryptography, Authentication, OSINT, Web apps, FOSS, Rakija (especially the honey ones). Social Networks: https://twitter.com/fladna9

Links:

• https://cfp.balccon.org/balccon2k22/talk/VY3AXF/
• https://infocon.org/cons/BalCCon/BalCCon 2k22/fladnaG (Max) - Internationalized Domain Names and its possible bad uses.mp4
• https://infocon.org/cons/BalCCon/BalCCon 2k22/fladnaG (Max) - Internationalized Domain Names and its possible bad uses.eng.srt (subtitles)

Similar Presentations:

• Kiwicon V: It Goes b00m (2011) / Say my name, bitch! (IDN Homograph Mitigation Strategies)
• ToorCon San Diego 20 (2018) / Shooting Puny Phish in a Barrel
• HOPE 2020 Virtual Rescheduled / Launching the Cyrillic IDN TLD as the first Internationalized Domain Name in the World