Character Assassination Fun and Games with Unicode - Adrian Crenshaw

Explore the intricacies of Unicode and its potential for character assassination in this comprehensive conference talk. Delve into Unicode history, encodings, and examples, including UTF-16 encoding and Mojibake. Learn about classic phishing obfuscations, homographs, and the challenges they pose to DNS. Examine browser protections, registrar defenses, and test various platforms like Outlook 2010 and Facebook. Investigate steganography techniques, name spoofing, right-to-left text manipulation, and file name vulnerabilities. Analyze non-visual attacks, canonicalization errors, and UTF-8 exploits. Discover real-life examples, such as the Spotify case, and understand how Unicode can be used to thwart searches and obscenity filters. Finally, explore the complexities of buffer overflows in relation to Unicode characters.

Intro
Why Unicode
Unicode History
Encodings
Encoding Examples
UTF-16 Encoding
Mojibake!
Find Your Character
Typing Unicode
Classic Phishing Obfuscations
Homographs
Problem: DNS is ASCII
What about Homoglyphs in Unicode?
Likely Sources for Homoglyphs
Slashes?
Protections Implemented by Browsers
Defenses by Registrar
Approach
Test Strings
Outlook 2010
Facebook
Fonts Matter
Steganography
Stego Examples
Examples: "It worked?"
Name Spoofing
Right to left?
What about file names?
Non Visual
Canonicalization Errors?
Other Transforms
UTF-8 Exploits
Text Comparison (Normalization)
Real-life Example: Spotify
Thwart Searches/Obscenity Filters
Complexities With Buffer Overflows