Looking at the certificate posted lower in this thread, everyone is throwing a fit over nothing. This is the correct way to do what they want to do, unless they want to register/use an application protocol.
They have a REST server running locally, and they want to link to it from websites on the internet. So they created the domain localbattle.net which points to 127.0.0.1. But there's a problem, they can't use http traffic (because of mixed content warnings, even though it wouldn't really be insecure), so they have to use https traffic. They can't use a public CA because the CA would throw a fit if they found out keys for certs were being distributed in an application (they could lose trust in major browsers due to something like that). So they generate a non-ca certificate (notice the cert doesn't have basicConstraints: CA=true) during setup, install it in the OS so the browsers trust it, and use it in their local webserver. The key is only available on the computer (and I assume it's stored in a secure manner). The only way they could use this cert to mitm your SSL traffic, or phish/pharm you is to do that same process with a different domain in the subjaltname extension.
I think this is a clever and secure solution to the problem they face.
At the end of the day you're already running their code on your computer and have given it admin privileges in the past, so you can't say you don't trust the application, and this doesn't introduce any supply-chain type vulnerabilities that could be exploited down the line (that didn't already exist in the auto-updater, which is a much bigger issue I have with the Blizzard client).
So I guess I'm asking, what am I missing, why is everyone freaking out at Blizzard?
As a non-techie, can someone expand the reddit post below, and why each individual's person private key is thought to be secured? Is the private key like a super password?
This is very concerning. The implication of this is super super dangerous. If anyone gets hold of the private key (which I sure hope is secure, but I'm not holding my breath), they can snoop on all of your traffic, and steal your password and credit card numbers. Usual Root CAs (Commodo, etc...) are held to very very very high standards in how securly they store their private key because of just how bad it is for it to leak. They are forced to undergo a very thorough audit process before being trusted. But since blizzard is not an official CA, they don't have to undergo the same process, even though a failure would be equally disastrous.
There is no valid reason whatsoever to install a Root CA here. What blizzard is doing is simply wrong, from a technical and ethical perspective. From what I understand, it is used to implement facebook login. There are other, better ways to do this. They could use an embedded browser instead of the default browser. They could use http instead of https (the url should be local anyway, and as such, secure). They could have registered a Custom URI scheme. The alternative, secure solutions are plenty.
Furthermore, Battle.net is failing in other ways. Everyone that has battle.net has a permanent server on localhost:22885. From what I gather, this is what they use to implement the facebook login, but the server is always on, instead of being only enabled when facebook login is actually in use. This is another big can of worm. We've seen previously that such things can lead to Remote Code Execution (basically a very convenient way to spread viruses) because any browser can make connections to it.
Blizzard needs to fix this shit now.
So far what I've done under my Windows 7 machine is to placed the certificate under "Untrusted Certificates" and under properties, turned on "Disable all purposes for this certificate". Are there any other measures that I should take to completely prevent this certificate from causing potential harm?
This isn't a CA certificate -- it is missing the CA basic constraints as well as missing the "certificate sign" key usage from X509v3, so most TLS libraries will not validate a chain that is signed by this certificate.
"most TLS libraries" is vague. Microsoft and Apple each include one with their OS. The Microsoft one definitely accepts total garbage as a valid CA root. I know because my employer pushed such a root to enable their MitM proxy and it worked fine... in Windows (and thus IE/ Edge). They had to replace it because Firefox and other systems threw a fit.
I'm happy to be proved wrong about this, but my experience tells me "most TLS libraries" is misleading even if technically true.
Our recent update to the Blizzard Battle.net desktop app made sure players could properly use features like logging in to Battle.net via a social network, or joining a Blizzard group via an invite link. To facilitate these features, we updated the local webserver to use a self-signed certificate to be consistent with current industry security standards.
For those interested in more detail, using these features requires your web browser to communicate with the Blizzard Battle.net desktop app. Previously, the desktop app used a certificate signed by a public Certificate Authority, meaning that no modifications to your system certificates were necessary; however, this technique is incompatible with Certificate Authority policies and we can no longer use it.
While some browsers such as Chrome and Firefox are equipped to handle browser-to-app communication techniques, the changes were necessary for other browsers. For the time being, the desktop app generates a self-signed certificate that’s unique to your machine and configures your system to trust it.
Former WOW and D3 player here. Think that majority of players are minors/teenagers with next-to-zero knowledge of what a "root CA" is and what it can do to your encrypted traffic.
I don't understand why Battle.net would do this, but I guess NOW they have to issue a statement about this.
Innocent version: oops we made a mistake.
Actual version: oops we got caught with our hand in the cookie-jar.
This was triggered by Tavis Ormandy and he says it's fine [1]. I honestly don't know enough to tell, is he correct when he says that it doesn't actually make any difference?
I think the root problem is that apparently connections to http://localhost from a https:// site are considered mixed content and therefore blocked. I thought there was an exception for localhost, but apparently there isn't. [1] (I don't really understand the rationale for this)
So with connections to http://localhost not possible due to mixed content and connections to https://localhost not possible because your cert will be blocked, there doesn't seem to be any obvious way left to connect from https to localhost at all.
This is how the system was meant to work. The irresponsibility of the centralized CA infra has been known for a little while now, and it's time to let the users see how shaky this trust model really is. Let them have certs that are actually made by the companies they trust instead of some stupid third party.
No, not across all applications on your computer. This is not about using your own CA, it's about making other software use your CA. They could just issue an update to their software to trust their own certs instead of infecting the rest of the OS.
What's the practical difference between operating their own root and potentially mismanaging it, versus buying a wildcard cert and potentially mismanaging that?
edit: to answer my own dumb question, the major issue is that Blizzard or someone who steals Blizzard's root CA private key would be able to impersonate any domain they wanted, instead of just Blizzard's.
So this is why "Agent" has been asking for my root password randomly recently? It doesn't need root to upgrade itself or its games so I had no idea what it was doing. I'm glad I kept denying it.
From some various comments on that thread, it appears it may have been a mistake, where they put the cert in the wrong store? Blizzard has a good reputation in my mind personally, so I'm giving the benefit of the doubt here.
Initially this was troubling news though, and will continue to be without some kind of confirmation.
If, as the comments say, this was in the OS-level store for both macOS and Windows, the only way I could see it being an accident would be if they are using a very high level cross-platform abstraction. Which I doubt. But of course we should always wait for official word before judging (still your choice whether to believe it).
Does it need to be a whole septate machine? If I run Linux as my daily driver and a Windows install on a separate drive/partition for gaming only, then I'll only be exposed to any potential risks for this when I boot to Windows, right?
“Silently”? macOS will pop a prompt for new root CA, and from what I’m reading in the thread, Windows will, too. Did I miss the part where a software vendor can slip in a new root CA without me knowing about it?
Most users have no idea what a root ca even is, so they have no ability to judge whether to accept or decline. Even with a prompt, they are not aware of what is happening.
[+] [-] theossuary|8 years ago|reply
They have a REST server running locally, and they want to link to it from websites on the internet. So they created the domain localbattle.net which points to 127.0.0.1. But there's a problem, they can't use http traffic (because of mixed content warnings, even though it wouldn't really be insecure), so they have to use https traffic. They can't use a public CA because the CA would throw a fit if they found out keys for certs were being distributed in an application (they could lose trust in major browsers due to something like that). So they generate a non-ca certificate (notice the cert doesn't have basicConstraints: CA=true) during setup, install it in the OS so the browsers trust it, and use it in their local webserver. The key is only available on the computer (and I assume it's stored in a secure manner). The only way they could use this cert to mitm your SSL traffic, or phish/pharm you is to do that same process with a different domain in the subjaltname extension.
I think this is a clever and secure solution to the problem they face. At the end of the day you're already running their code on your computer and have given it admin privileges in the past, so you can't say you don't trust the application, and this doesn't introduce any supply-chain type vulnerabilities that could be exploited down the line (that didn't already exist in the auto-updater, which is a much bigger issue I have with the Blizzard client).
So I guess I'm asking, what am I missing, why is everyone freaking out at Blizzard?
[+] [-] TaylorSwift|8 years ago|reply
This is very concerning. The implication of this is super super dangerous. If anyone gets hold of the private key (which I sure hope is secure, but I'm not holding my breath), they can snoop on all of your traffic, and steal your password and credit card numbers. Usual Root CAs (Commodo, etc...) are held to very very very high standards in how securly they store their private key because of just how bad it is for it to leak. They are forced to undergo a very thorough audit process before being trusted. But since blizzard is not an official CA, they don't have to undergo the same process, even though a failure would be equally disastrous.
There is no valid reason whatsoever to install a Root CA here. What blizzard is doing is simply wrong, from a technical and ethical perspective. From what I understand, it is used to implement facebook login. There are other, better ways to do this. They could use an embedded browser instead of the default browser. They could use http instead of https (the url should be local anyway, and as such, secure). They could have registered a Custom URI scheme. The alternative, secure solutions are plenty.
Furthermore, Battle.net is failing in other ways. Everyone that has battle.net has a permanent server on localhost:22885. From what I gather, this is what they use to implement the facebook login, but the server is always on, instead of being only enabled when facebook login is actually in use. This is another big can of worm. We've seen previously that such things can lead to Remote Code Execution (basically a very convenient way to spread viruses) because any browser can make connections to it.
Blizzard needs to fix this shit now.
So far what I've done under my Windows 7 machine is to placed the certificate under "Untrusted Certificates" and under properties, turned on "Disable all purposes for this certificate". Are there any other measures that I should take to completely prevent this certificate from causing potential harm?
[+] [-] codinghorror|8 years ago|reply
(Also not sure if anti-cheat is a factor here?)
[+] [-] kondbg|8 years ago|reply
[+] [-] tialaramex|8 years ago|reply
I'm happy to be proved wrong about this, but my experience tells me "most TLS libraries" is misleading even if technically true.
[+] [-] tptacek|8 years ago|reply
[+] [-] barbs|8 years ago|reply
Our recent update to the Blizzard Battle.net desktop app made sure players could properly use features like logging in to Battle.net via a social network, or joining a Blizzard group via an invite link. To facilitate these features, we updated the local webserver to use a self-signed certificate to be consistent with current industry security standards.
For those interested in more detail, using these features requires your web browser to communicate with the Blizzard Battle.net desktop app. Previously, the desktop app used a certificate signed by a public Certificate Authority, meaning that no modifications to your system certificates were necessary; however, this technique is incompatible with Certificate Authority policies and we can no longer use it.
While some browsers such as Chrome and Firefox are equipped to handle browser-to-app communication techniques, the changes were necessary for other browsers. For the time being, the desktop app generates a self-signed certificate that’s unique to your machine and configures your system to trust it.
[+] [-] HenryBemis|8 years ago|reply
I don't understand why Battle.net would do this, but I guess NOW they have to issue a statement about this.
Innocent version: oops we made a mistake.
Actual version: oops we got caught with our hand in the cookie-jar.
[+] [-] PeterStuer|8 years ago|reply
[+] [-] cyansmoker|8 years ago|reply
Innocent version: we did nothing wrong and you are reacting before having even looked at that certificate.
[+] [-] mwfj|8 years ago|reply
Arent' they making lots of money off these poor addicts already?
[+] [-] Ajedi32|8 years ago|reply
[1]: https://groups.google.com/forum/#!topic/mozilla.dev.security...
[+] [-] kbwt|8 years ago|reply
Edit: This was written assuming CA bit = 1.
[+] [-] xwvvvvwx|8 years ago|reply
[1]: https://twitter.com/chort0/status/943933566596952065
[+] [-] xg15|8 years ago|reply
So with connections to http://localhost not possible due to mixed content and connections to https://localhost not possible because your cert will be blocked, there doesn't seem to be any obvious way left to connect from https to localhost at all.
[1] https://security.stackexchange.com/questions/104801/why-aren...
[+] [-] 5ilv3r|8 years ago|reply
[+] [-] kodablah|8 years ago|reply
No, not across all applications on your computer. This is not about using your own CA, it's about making other software use your CA. They could just issue an update to their software to trust their own certs instead of infecting the rest of the OS.
[+] [-] 1_2__4|8 years ago|reply
[+] [-] gnu8|8 years ago|reply
edit: to answer my own dumb question, the major issue is that Blizzard or someone who steals Blizzard's root CA private key would be able to impersonate any domain they wanted, instead of just Blizzard's.
[+] [-] hrrsn|8 years ago|reply
Having a CA means they can mismanage any domain.
[+] [-] chacham15|8 years ago|reply
[+] [-] kbd|8 years ago|reply
[+] [-] szastupov|8 years ago|reply
[+] [-] sannee|8 years ago|reply
[+] [-] AaronFriel|8 years ago|reply
The thumbprint is e8e6a2932ae8de6eb3b555270b55fdc72b7db7b7, but it's limited to the subject alternative name "DNS Name=localbattle.net".
[+] [-] kbwt|8 years ago|reply
[+] [-] kup0|8 years ago|reply
Initially this was troubling news though, and will continue to be without some kind of confirmation.
[+] [-] kodablah|8 years ago|reply
[+] [-] bitL|8 years ago|reply
[+] [-] Cookiesaurusbex|8 years ago|reply
[+] [-] jwilk|8 years ago|reply
You could look at the "Not Valid Before" date, which is 2017-12-21.
[+] [-] ChuckMcM|8 years ago|reply
[+] [-] throw7|8 years ago|reply
[+] [-] mikestew|8 years ago|reply
[+] [-] bagacrap|8 years ago|reply
[+] [-] ntumlin|8 years ago|reply
Attention: You must click OK to play this game.
[+] [-] enzanki_ars|8 years ago|reply
> I got a strange prompt that Agent wanted to make changes on my computer and needed my admin password
An admin/mod should change the title here, but the concern is still the same.
[+] [-] noncoml|8 years ago|reply
Or are you trying to derail the conversation on purpose?