
Blizzard's Battle.net Updater Installs Root Certificate - roblabla
https://www.reddit.com/r/heroesofthestorm/comments/7lb8vq/hey_blizzard_whats_the_deal_with_this_sneaky_root/
======
theossuary
Looking at the certificate posted lower in this thread, everyone is throwing a
fit over nothing. _This is_ the correct way to do what they want to do, unless
they want to register/use an application protocol.

They have a REST server running locally, and they want to link to it from
websites on the internet. So they created the domain localbattle.net which
points to 127.0.0.1. But there's a problem, they can't use http traffic
(because of mixed content warnings, even though it wouldn't really be
insecure), so they have to use https traffic. They can't use a public CA
because the CA would throw a fit if they found out keys for certs were being
distributed in an application (they could lose trust in major browsers due to
something like that). So they generate a non-ca certificate (notice the cert
doesn't have basicConstraints: CA=true) during setup, install it in the OS so
the browsers trust it, and use it in their local webserver. The key is only
available on the computer (and I assume it's stored in a secure manner). The
only way they could use this cert to mitm your SSL traffic, or phish/pharm you
is to do that same process with a different domain in the subjaltname
extension.

I think this is a clever and secure solution to the problem they face. At the
end of the day you're already running their code on your computer and have
given it admin privileges in the past, so you can't say you don't trust the
application, and this doesn't introduce any supply-chain type vulnerabilities
that could be exploited down the line (that didn't already exist in the auto-
updater, which is a much bigger issue I have with the Blizzard client).

So I guess I'm asking, what am I missing, why is everyone freaking out at
Blizzard?

~~~
TaylorSwift
As a non-techie, can someone expand the reddit post below, and why each
individual's person private key is thought to be secured? Is the private key
like a super password?

 _This is very concerning. The implication of this is super super dangerous.
If anyone gets hold of the private key (which I sure hope is secure, but I 'm
not holding my breath), they can snoop on all of your traffic, and steal your
password and credit card numbers. Usual Root CAs (Commodo, etc...) are held to
very very very high standards in how securly they store their private key
because of just how bad it is for it to leak. They are forced to undergo a
very thorough audit process before being trusted. But since blizzard is not an
official CA, they don't have to undergo the same process, even though a
failure would be equally disastrous.

There is no valid reason whatsoever to install a Root CA here. What blizzard
is doing is simply wrong, from a technical and ethical perspective. From what
I understand, it is used to implement facebook login. There are other, better
ways to do this. They could use an embedded browser instead of the default
browser. They could use http instead of https (the url should be local anyway,
and as such, secure). They could have registered a Custom URI scheme. The
alternative, secure solutions are plenty.

Furthermore, Battle.net is failing in other ways. Everyone that has battle.net
has a permanent server on localhost:22885. From what I gather, this is what
they use to implement the facebook login, but the server is always on, instead
of being only enabled when facebook login is actually in use. This is another
big can of worm. We've seen previously that such things can lead to Remote
Code Execution (basically a very convenient way to spread viruses) because any
browser can make connections to it.

Blizzard needs to fix this shit now._

So far what I've done under my Windows 7 machine is to placed the certificate
under " _Untrusted Certificates_ " and under properties, turned on " _Disable
all purposes for this certificate_ ". Are there any other measures that I
should take to completely prevent this certificate from _causing_ potential
harm?

~~~
Pyxl101
According to commits in this HN thread, including the one you're replying to
(which I have not independently verified), that Reddit post is factually
mistaken about crucial points. There is no reason to be alarmed, to worry
about the certificate, or try to disable it.

There may be some merit to the point about running the local permanent HTTPS
server but that's unrelated to the certificate.

I tried to expand this comment to include a technical explanation of the
issues, but it became quite long. I'll try to simplify and summarize: there
are legitimate security concerns about applications that install their own
Certificate Authorities (CAs, aka root certificates), especially when the same
one is being installed on all computers. A Certificate Authority has the
ability to issue certificates for _any website_ , so it has the ability to
compromise the user's traffic to any website if mismanaged. Blizzard didn't do
that. Blizzard installs a randomly generated, unique-to-the-user certificate (
_not_ certificate authority) for Blizzard's own website domain name. This does
not present any of the security issues alleged by the Reddit comment.

So there is no root certificate or CA involved -- the title of this HN article
is incorrect and the Reddit thread is mistaken. (To caveat again: I have not
personally verified this, and am digesting information supplied by other
HNers) However, if you don't plan to log in to Battle.net using Facebook, then
there's probably no downside to disabling this certificate either.

~~~
TaylorSwift
Thanks, so from my reading of this, this certificate had no functions of an
actual root certificate and thus having MITM or other attack vectors aren't
possible.

------
kondbg
This isn't a CA certificate -- it is missing the CA basic constraints as well
as missing the "certificate sign" key usage from X509v3, so most TLS libraries
will not validate a chain that is signed by this certificate.

~~~
tialaramex
"most TLS libraries" is vague. Microsoft and Apple each include one with their
OS. The Microsoft one definitely accepts total garbage as a valid CA root. I
know because my employer pushed such a root to enable their MitM proxy and it
worked fine... in Windows (and thus IE/ Edge). They had to replace it because
Firefox and other systems threw a fit.

I'm happy to be proved wrong about this, but my experience tells me "most TLS
libraries" is misleading even if technically true.

~~~
zaroth
If you add a non-CA enabled certificate to the Trust store and a TLS library
decides to trust it to sign a cert chain, that TLS library is horribly broken
and needs a critical CVE. File a bug an earn a $10k bounty, but I’m guessing
this is FUD and Blizzard did nothing wrong here and exposed exactly no one to
any kind of risk.

In fact it appears they did exactly the right thing to get https working
correctly in their mixed-mode (localhost + outside world) environment.

~~~
tialaramex
The fact you think this makes Microsoft's TLS library (SChannel) "horribly
broken" doesn't magically mean I get a $10k bounty award. Microsoft considers
that if you put a cert which lacks CA:TRUE into your local trust store you
must know what you're doing and want to trust it as a CA anyway. They're
entitled to whatever opinion they want, and don't have to pay third parties
just because somebody on HN disagrees.

Now, if you want you can argue that Blizzard weren't to know this would
happen. And that, depending on what else they've done this might be safe
anyway, but I wasn't commenting on either of those, only pointing out that
SChannel doesn't care about basic constraints on trusted roots.

------
barbs
Response from Blizzard:
[https://us.battle.net/forums/en/bnet/topic/20760626838](https://us.battle.net/forums/en/bnet/topic/20760626838)

 _Our recent update to the Blizzard Battle.net desktop app made sure players
could properly use features like logging in to Battle.net via a social
network, or joining a Blizzard group via an invite link. To facilitate these
features, we updated the local webserver to use a self-signed certificate to
be consistent with current industry security standards.

For those interested in more detail, using these features requires your web
browser to communicate with the Blizzard Battle.net desktop app. Previously,
the desktop app used a certificate signed by a public Certificate Authority,
meaning that no modifications to your system certificates were necessary;
however, this technique is incompatible with Certificate Authority policies
and we can no longer use it.

While some browsers such as Chrome and Firefox are equipped to handle browser-
to-app communication techniques, the changes were necessary for other
browsers. For the time being, the desktop app generates a self-signed
certificate that’s unique to your machine and configures your system to trust
it._

------
HenryBemis
Former WOW and D3 player here. Think that majority of players are
minors/teenagers with next-to-zero knowledge of what a "root CA" is and what
it can do to your encrypted traffic.

I don't understand why Battle.net would do this, but I guess NOW they have to
issue a statement about this.

Innocent version: oops we made a mistake.

Actual version: oops we got caught with our hand in the cookie-jar.

~~~
johansch
Why in the world would they do this, though? I'm at a loss.

Arent' they making lots of money off these poor addicts already?

~~~
AFNobody
There is stuff they do for cheat/crack detection that involve https is the
only thing I can think of.

~~~
nrhk
That must be it, the more intrusive it can be, the better the anti-cheat will
preform.

I'm sure with Overwatch trying to become legit and the hundreds of millions
that will go towards the Overwatch League, they need to ensure a level playing
field.

~~~
skate22
Kickbots in WoW are annoying as hell too.

------
Ajedi32
I'm guessing this is Blizzard's response to [their previous cert being
revoked][1].

[1]:
[https://groups.google.com/forum/#!topic/mozilla.dev.security...](https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/pk039T_wPrI)

~~~
kbwt
So it may have been intentional. Couldn't this expose Blizzard employees to
criminal charges?

Edit: This was written assuming CA bit = 1.

------
xwvvvvwx
This was triggered by Tavis Ormandy and he says it's fine [1]. I honestly
don't know enough to tell, is he correct when he says that it doesn't actually
make any difference?

[1]:
[https://twitter.com/chort0/status/943933566596952065](https://twitter.com/chort0/status/943933566596952065)

~~~
xg15
I think the root problem is that apparently connections to
[http://localhost](http://localhost) from a [https://](https://) site are
considered mixed content and therefore blocked. I thought there was an
exception for localhost, but apparently there isn't. [1] (I don't really
understand the rationale for this)

So with connections to [http://localhost](http://localhost) not possible due
to mixed content and connections to [https://localhost](https://localhost) not
possible because your cert will be blocked, there doesn't seem to be any
obvious way left to connect from https to localhost at all.

[1] [https://security.stackexchange.com/questions/104801/why-
aren...](https://security.stackexchange.com/questions/104801/why-arent-mixed-
content-connections-allowed-on-localhost)

~~~
user5994461
Remember than any page in your browser can run scripts from your computer.
Browsers have a security model of what is allowed or not, that is a huge
super-complicated mess. One of the protection is blocking mixed http and
https.

localhost and 127.0.0.1 never get exceptions to security rules, including
mixed content.

The rational is that there are many intranet and local applications that might
be accessible on 127.0.0.1, they were not designed or secured to be accessible
from the internet.

~~~
xg15
I don't think that really makes sense in that context. The current situation
is that you can happily access localhost from _unencrypted_ sites - even
though those sites are _more_ likely to contain malicious code.

Additionally, localhost services are treated as a separate origin, so if a
service is non-cooperating, you can only send fire-and-forget GETs which
reduces the attack surface considerably.

------
5ilv3r
This is how the system was meant to work. The irresponsibility of the
centralized CA infra has been known for a little while now, and it's time to
let the users see how shaky this trust model really is. Let them have certs
that are actually made by the companies they trust instead of some stupid
third party.

~~~
kodablah
> This is how the system was meant to work.

No, not across all applications on your computer. This is not about using your
own CA, it's about making other software use your CA. They could just issue an
update to their software to trust their own certs instead of infecting the
rest of the OS.

~~~
5ilv3r
They could. That would be a bit tricky though since http libs usually use the
shared system cert store.

~~~
kodablah
Any reasonable one would allow you to change the trust store or approach
programmatically.

~~~
5ilv3r
My argument was that centralizing trust as a service is unsustainable. That's
all.

------
gnu8
What's the practical difference between operating their own root and
potentially mismanaging it, versus buying a wildcard cert and potentially
mismanaging that?

edit: to answer my own dumb question, the major issue is that Blizzard or
someone who steals Blizzard's root CA private key would be able to impersonate
any domain they wanted, instead of just Blizzard's.

~~~
hrrsn
Buying a wildcard cert means they can mismanage their keys for *.battle.net.

Having a CA means they can mismanage any domain.

~~~
wyldfire
I think you understand what having a Root CA means but you haven't clearly
explained what "mismanage any domain" means in real terms to folks who don't
know these details.

It means that employees of Blizzard (hopefully not many of them but who knows)
can now create certificates that will be accepted as "Wells Fargo" when the
user tries to go to "[https://wellsfargo.com"](https://wellsfargo.com"). Their
browser will show the green icon because the browser relies on the Root CAs in
the trust store. I think/hope this will break for HSTS sites like most banks.
I also think this was likely not intended maliciously by Blizzard. But it's
incompetent and opens up unnecessary risk.

------
kbd
So _this_ is why "Agent" has been asking for my root password randomly
recently? It doesn't need root to upgrade itself or its games so I had no idea
what it was doing. I'm glad I kept denying it.

------
szastupov
Well, they are very sloppy about security, look at the permissions they set
for battle.net files
[https://pbs.twimg.com/media/DOvhmJ1WkAAFCSD.jpg](https://pbs.twimg.com/media/DOvhmJ1WkAAFCSD.jpg)
(sorry for screenshot)

~~~
sannee
I mean, sure, it's not exactly in good taste, but noone really uses multi-user
desktop setups these days...

------
AaronFriel
I just checked and found "Blizzard Battle.net Local Cert" in certmgr on my
home Windows 10 desktop.

The thumbprint is e8e6a2932ae8de6eb3b555270b55fdc72b7db7b7, but it's limited
to the subject alternative name "DNS Name=localbattle.net".

~~~
kbwt
Could you (or anyone else) upload the certificate file for inspection?

~~~
AaronFriel

        -----BEGIN CERTIFICATE-----
        MIID1jCCAr6gAwIBAgIDAKCkMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJV
        UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEPMA0GA1UEBwwGSXJ2aW5lMR8wHQYDVQQK
        DBZCbGl6emFyZCBFbnRlcnRhaW5tZW50MRMwEQYDVQQLDApCYXR0bGUubmV0MScw
        JQYDVQQDDB5CbGl6emFyZCBCYXR0bGUubmV0IExvY2FsIENlcnQwHhcNMTcxMjIx
        MjEzNDAxWhcNMjcxMjE5MjEzNDAxWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgM
        CkNhbGlmb3JuaWExDzANBgNVBAcMBklydmluZTEfMB0GA1UECgwWQmxpenphcmQg
        RW50ZXJ0YWlubWVudDETMBEGA1UECwwKQmF0dGxlLm5ldDEnMCUGA1UEAwweQmxp
        enphcmQgQmF0dGxlLm5ldCBMb2NhbCBDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOC
        AQ8AMIIBCgKCAQEAv4ih+a9V+dd+l97hTyWYLg+b1aj6UrgREMvLv0PFoE63eozs
        oFAvjr/0QVCt8RJg2aIF1OZSfc4c9PWkSktFvKB2vMRbVkSwhZvlpDLdQdgD89q9
        XZnWv8KmB1w7R7RUzYhNv5IBfqx77hdpMsdfhMAsVu9UNi7Bowhk2Lyk+NSIMMbY
        f6TvgoWLLz6Glw1mGSl8ki2SzaFj6xTNdKo56knZBy9wHQlmjv7GVltwmcVeyARC
        3Q4qG/tG7t9CchCNUWHMP1Uxc9t2hZbQIjJRIE+h7Njp7A5nNIO0XXkJpKdtank/
        Q2+CJNdoX7kNi7frB3y+TVSNYTNxh6bfDyueEwIDAQABozMwMTATBgNVHSUEDDAK
        BggrBgEFBQcDATAaBgNVHREEEzARgg9sb2NhbGJhdHRsZS5uZXQwDQYJKoZIhvcN
        AQELBQADggEBABFtIjAcF6vgXBWUACc+nvKwLUUAuIDigK+PpTJZ+eqvJd2gjPG+
        i9tfSe3Y0uWeHgNAtV3bwV/pEp8jPj0KyS7aYM2QhS2Gezy2NN7RjXtU+tFItwQ3
        ykHQsqG5F+KqpDFZrbmuPkXUB9TihxG9aGATBOzhw18RV7hlf/y+60LDMF+8BoYY
        AVJ6wDUcYsuO4PQ2DE3DlJJokUsITUlzWYn60Kmo96NG0MST/Zg3bLLC3gxclZb/
        vkK/pVha6I8kRyPFkfwIS/4Z/HCwHX9RAxbBaOxGqaN3XgcsR9hGBZD6DRA6iF1u
        XfkZ9zz/NfgVIx+AJmyw32X1T5HRcmMhZZ4=
        -----END CERTIFICATE-----

~~~
jwilk
"openssl x509 -text" output (with boring parts omitted):

    
    
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 41124 (0xa0a4)
          Signature Algorithm: sha256WithRSAEncryption
              Issuer: C = US, ST = California, L = Irvine, O = Blizzard Entertainment, OU = Battle.net, CN = Blizzard Battle.net Local Cert
              Validity
                  Not Before: Dec 21 21:34:01 2017 GMT
                  Not After : Dec 19 21:34:01 2027 GMT
              Subject: C = US, ST = California, L = Irvine, O = Blizzard Entertainment, OU = Battle.net, CN = Blizzard Battle.net Local Cert
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      Public-Key: (2048 bit)
                      Modulus:
                          <boring>
                      Exponent: 65537 (0x10001)
              X509v3 extensions:
                  X509v3 Extended Key Usage: 
                      TLS Web Server Authentication
                  X509v3 Subject Alternative Name: 
                      DNS:localbattle.net
          Signature Algorithm: sha256WithRSAEncryption
               <boring>

------
kup0
From some various comments on that thread, it appears it may have been a
mistake, where they put the cert in the wrong store? Blizzard has a good
reputation in my mind personally, so I'm giving the benefit of the doubt here.

Initially this was troubling news though, and will continue to be without some
kind of confirmation.

~~~
kodablah
If, as the comments say, this was in the OS-level store for both macOS and
Windows, the only way I could see it being an accident would be if they are
using a very high level cross-platform abstraction. Which I doubt. But of
course we should always wait for official word before judging (still your
choice whether to believe it).

~~~
kup0
Oh, didn't think about the issue happening on multiple platforms. That does
complicate things.

------
bitL
Have a separate gaming machine for games only. You can't trust anyone these
days.

~~~
Cookiesaurusbex
Does it need to be a whole septate machine? If I run Linux as my daily driver
and a Windows install on a separate drive/partition for gaming only, then I'll
only be exposed to any potential risks for this when I boot to Windows, right?

~~~
explainplease
Is the Linux drive still connected when you boot into Windows?

Of course, in practice, I don't think any average bad guy is going to spend
the time to write Windows malware that installs Linux malware on other drives
or partitions. Just like any security practice, it's a matter of tradeoffs. Is
it worth the trouble to disconnect the Linux drive every time you want to play
a game in Windows?

So, theoretically, any malware with root-equivalent privileges can do whatever
it wants to anything on the system. Also, theoretically, malware can be
remotely installed on your WAN-exposed router, infiltrate your network, and
install malware using zero-days on every machine on your network. Is it worth
the risk to air-gap your machines?

More practically, non-gaming stuff doesn't require a high-end machine, and
average/SFF machines are plenty powerful, so it's probably reasonable to have
a separate machine for gaming. Just get a KVM switch and put a Mac Mini-type
machine next to it for your non-gaming machine. Then do all your gaming, using
whatever awful incarnation of Windows is currently required, on the other
machine, and _never do any banking /email/etc. on the Windows machine_, never
type any passwords into it (except for gaming-related, of course). Treat the
Windows installation as a throwaway, ready to be nuked and reinstalled at any
time.

------
jwilk
> The expiration day is December 19th, and since certificates are usually
> generated for a certain number of years, that means it was just created.

You could look at the "Not Valid Before" date, which is 2017-12-21.

------
ChuckMcM
For what ever reason I always assumed this was to prevent the game client from
being used with unoffical servers.

------
throw7
The issue exposes the trust issue of the CA house of cards. You, as the user,
are really trusting in a third party to "do the right thing".

------
mikestew
“Silently”? macOS will pop a prompt for new root CA, and from what I’m reading
in the thread, Windows will, too. Did I miss the part where a software vendor
can slip in a new root CA without me knowing about it?

~~~
bagacrap
Most users have no idea what a root ca even is, so they have no ability to
judge whether to accept or decline. Even with a prompt, they are not aware of
what is happening.

~~~
AnIdiotOnTheNet
So? This strawman user you've constructed has no idea what any of the
blinkenlights in front of them are for. How much are you willing to make the
desktop experience suck to cater to them?

That was rhetorical. It's obvious from the state of modern desktop OSs what
the answer is.

~~~
ng12
Yeah, why did we ever get away from the glory days of bare-metal programming.
Computers are only for people who understand them.

Sarcasm aside, I'm a software engineer with a very superficial understanding
of the certificate system. I'm not even convinced of my own ability to notice
when something's wrong.

~~~
AnIdiotOnTheNet
What I'm saying is: why do you people always assume the average user of a
desktop computer is a drooling moron?

Because that's what you're doing when you say shit like this. Thinking like
that is what gave us forced automatic updates.

~~~
ng12
I don't agree with your characterization as somebody who doesn't understand
the significance of a root CA as a drooling idiot.

The text of one of your post's siblings is:

> A root lets you make a valid cert for any domain. It can be used to create a
> man-in-the-middle attack if paired with a proxy.

If you were to walk down the street tomorrow and ask 10 people to define
"cert", "domain", "MITM", and "proxy" I'd wager you'd get 0 correct responses.
I'd also wager those 10 people use computers every day -- and I don't think
that's a problem. You shouldn't have to study and understand byzantine systems
just to use a computer.

~~~
AnIdiotOnTheNet
What I disagree with is the characterization of the user as someone who a)
cares[1], and b) doesn't realize they're clicking through something they don't
understand. After all, they do it all the time on EULAs and when they ignore
their "check engine" light.

Could the message explain the problem better? Maybe, but when you characterize
the user the way the parent did, you're not going to stop there, you're going
to make them jump through all sorts of hoops or just outright deny the ability
all together in the name of saving them from themselves, and that's a huge
pain in the ass for the people who do know what's going on and are just trying
to get some shit done and use their computer as the tool it was meant to be.

[1]Even if the user knew what it was saying it seems unlikely that they'd
think it was malicious. They trust blizzard enough to install their software
anyway, so if blizzard says they need this thing, why wouldn't they say ok?

