Gamers, … well I’m one of them and the times aren’t easy for use, there is the entire DLC, lootbox and DRM garbage but we survived everything so far. Today I found another interesting story about the Blizzard Client and a root certificate. A Reddit user called chort0 found a Root CA on his computer which seems to get installed each time you install Blizzard’s game client, he mentioned that this isn’t a security problem but the says that it’s strange that a client requires its own certificate for just using their services.
What’s the problem with it?
The problem is that such certificate could be abused to redirect specific traffic. It’s questionable why it’s needed because there already the needed certificates on your PC.
The real problem here is that this was introduced in the background without any mention on their blog or via a changelog.
Is this a backdoor?
No, the certificate is a self-signed certificate used to validate the host localbattle.net which redirects to 127.0.0.1 (localhost), to allow logins to locally, one example is if you’re logged in with your Facebook account and want to play games offline. It’s a common mechanism and removing it doesn’t help here because the client wants to install it each time again when you re-start the software.
The CA extension, which is required for the cert to create leaf certs, is not set. To put simply, this certificate cannot sign other certs that would be trusted by any system properly implementing X.509 validation. That said it’s not even an ‘real’ root cert!
Here is the certificate which gets installed!
Certificate: Data: Version: 3 (0x2) Serial Number: 41124 (0xa0a4) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, L = Irvine, O = Blizzard Entertainment, OU = Battle.net, CN = Blizzard Battle.net Local Cert Validity Not Before: Dec 21 21:34:01 2017 GMT Not After : Dec 19 21:34:01 2027 GMT Subject: C = US, ST = California, L = Irvine, O = Blizzard Entertainment, OU = Battle.net, CN = Blizzard Battle.net Local Cert Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localbattle.net Signature Algorithm: sha256WithRSAEncryption
-----BEGIN CERTIFICATE----- MIID1jCCAr6gAwIBAgIDAKCkMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEPMA0GA1UEBwwGSXJ2aW5lMR8wHQYDVQQK DBZCbGl6emFyZCBFbnRlcnRhaW5tZW50MRMwEQYDVQQLDApCYXR0bGUubmV0MScw JQYDVQQDDB5CbGl6emFyZCBCYXR0bGUubmV0IExvY2FsIENlcnQwHhcNMTcxMjIx MjEzNDAxWhcNMjcxMjE5MjEzNDAxWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgM CkNhbGlmb3JuaWExDzANBgNVBAcMBklydmluZTEfMB0GA1UECgwWQmxpenphcmQg RW50ZXJ0YWlubWVudDETMBEGA1UECwwKQmF0dGxlLm5ldDEnMCUGA1UEAwweQmxp enphcmQgQmF0dGxlLm5ldCBMb2NhbCBDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAv4ih+a9V+dd+l97hTyWYLg+b1aj6UrgREMvLv0PFoE63eozs oFAvjr/0QVCt8RJg2aIF1OZSfc4c9PWkSktFvKB2vMRbVkSwhZvlpDLdQdgD89q9 XZnWv8KmB1w7R7RUzYhNv5IBfqx77hdpMsdfhMAsVu9UNi7Bowhk2Lyk+NSIMMbY f6TvgoWLLz6Glw1mGSl8ki2SzaFj6xTNdKo56knZBy9wHQlmjv7GVltwmcVeyARC 3Q4qG/tG7t9CchCNUWHMP1Uxc9t2hZbQIjJRIE+h7Njp7A5nNIO0XXkJpKdtank/ Q2+CJNdoX7kNi7frB3y+TVSNYTNxh6bfDyueEwIDAQABozMwMTATBgNVHSUEDDAK BggrBgEFBQcDATAaBgNVHREEEzARgg9sb2NhbGJhdHRsZS5uZXQwDQYJKoZIhvcN AQELBQADggEBABFtIjAcF6vgXBWUACc+nvKwLUUAuIDigK+PpTJZ+eqvJd2gjPG+ i9tfSe3Y0uWeHgNAtV3bwV/pEp8jPj0KyS7aYM2QhS2Gezy2NN7RjXtU+tFItwQ3 ykHQsqG5F+KqpDFZrbmuPkXUB9TihxG9aGATBOzhw18RV7hlf/y+60LDMF+8BoYY AVJ6wDUcYsuO4PQ2DE3DlJJokUsITUlzWYn60Kmo96NG0MST/Zg3bLLC3gxclZb/ vkK/pVha6I8kRyPFkfwIS/4Z/HCwHX9RAxbBaOxGqaN3XgcsR9hGBZD6DRA6iF1u XfkZ9zz/NfgVIx+AJmyw32X1T5HRcmMhZZ4= -----END CERTIFICATE-----
Statement from Blizzard
Blizzard was so kind to explain the whole situation in a separate blog post.
Why can’t they just install custom protocol handler for this is a serious question here but they made their own decision and once again it’s all about trust, I’m thankfully that such clever people found it and immediately asked the needed question.
Well, again it’s totally legit mechanism and no reason to be freaking out.
- Blizzard’s Battle.net Updater Installs Root Certificate (news.ycombinator.com)