

The blackjack vulnerability - jbaiter
http://méric.fr/blog/blackjack.html

======
mdaniel
Apologies for the slightly OT comment:

I hadn't seen one of the new unicode domains outside of Asian script before,
and thus didn't have any mental correlation between the written version and
the domain name. But that domain has a lot more letters than does the HN
summary text next to the link.

Bizarrely enough, my Chrome 41 doesn't render the address bar with the unicode
flavor, either. Firefox 36 renders it correctly in the status bar (link hover)
as well as the address bar.

~~~
zerocrates
All the browser vendors handle IDNs a little differently to combat visual
spoofing issues.

Chrome only shows the Unicode version of an IDN if all the letters appear in
one of the languages you've told Chrome you read. So, if you add French to
your list of languages, Chrome will show the "real" Unicode domain name
instead of the Punycode.

~~~
mdaniel
Interestingly enough, Chrome is the odd-browser-out on this one (err, I didn't
check IE cause I don't have one handy, so let's just assume they do things
wrong and move on). Safari 7.1 also behaves like Firefox and (IMHO) does the
correct thing. It is just silly that Chrome thinks I can't handle méric in my
address bar because I don't browse in French.

As another interesting observation, Chrome on Android does as Chrome desktop
does (Firefox Android similarly to its desktop companion), but the "Internet",
which I presume is just fancy trimmings around the Web View component in
Android, behaves like all the non-Chrome engines and renders the e-acute on
4.4.4. I just got my Android 5 update this weekend on my tablet, which brought
with it a revamped Web View component so it's likely going to behave like
Chrome does. I'll try to remember to check it.

~~~
xyzzy123
> It is just silly that Chrome thinks I can't handle méric in my address bar

To rephrase GP post, it's because they think you can't handle:
[https://www.bankofamérica.com](https://www.bankofamérica.com). Well, _you_
probably can, mostly. On a retina screen, my eyes aren't good enough to spot
the difference when the "i" is accented.

The Chrome team's decision seems a reasonable compromise to me.

------
omgitstom
I'm pretty sure this has been discovered years ago. Or at least my brain is
convinced it was.

Edit: Just saw the authors notes that this may have been found before... If
anyone is curious, I found the one of the original reports on this:

[https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf](https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)

~~~
jakobdabo
Yes this is old news, and here is software for recovering the password when
WPS is enabled: [https://code.google.com/p/reaver-
wps/](https://code.google.com/p/reaver-wps/)

~~~
mirashii
This tool is doing the brute force of 11000 PINs, which is mentioned in the
article but not this particular attack.

------
f055
All routers should have WPS off by default. Period.

~~~
jgrowl
Routers that don't even have the option to turn WPS off make me sad (without
dd-wrt, tomato, etc).

~~~
cmdrfred
Even better are the ones that you can turn off, but in reality it stays on.

~~~
xyzzy123
My ISP keeps turning it back on with TR-069 :(

------
t0mas88
The writing style on this post is so bad I almost didn't make it to the end.
Random distracting comments and grammar that looks like Google translate...
Fortunately I was so curious about the attack I plowed through.

~~~
mattmanser
He's French. You can tell he's French just from his phrasing, without the
other big clues of:

1\. A .fr domain

2\. The rest of the site is in French

I guess we're getting so used to English dominance now.

~~~
t0mas88
English isn't my native language either, so that's not really an excuse. But
native speakers may be better at deciphering "broken" grammar.

