Bluetracker
Tracks Blizzard employees across various accounts.
Hey Blizzard, What's the Deal with this Sneaky Root CA You Just Installed on My Computer?
Edit 2: TO BE CLEAR THIS IS NOT A SECURITY PROBLEM. There is no escalation of privileges that I'm aware of, because Agent already gets admin privileges to install and (presumably) the private key requires Administrator/root to extract (although I could be wrong about that). The private key should also be unique on each machine (again, I could be wrong).
....
Edit 3: I talked to Tavis Ormandy for a long time today. After extensive discussion, I don't think it's as big a deal as I initially thought. It appears the way to mark a certificate as trusted (for a particular site, not as a CA) may be slightly different on Windows. In any case it's highly unlike that the OS APIs for certificates on Windows or macOS would allow a certificate to be valid if it was signed by this one. Technically it's incorrect to not set CA:false on this certificate, but in reality it should not allow forged certs in any major browser.
....
Original post: While running the battle.net updater for HotS this morning I got a strange prompt that Agent wanted to make changes on my computer and needed my admin password. I was immediately suspicious, so I checked Activity Monitor and noticed that the Agent process has open file handles to all the Keychain files, most notably to the System Roots Keychain, which holds all the trusted root CA certificates.
I opened Keychain and looked in the System Roots, searched for Blizzard, and sure enough, here it is. The expiration day is December 19th, and since certificates are usually generated for a certain number of years, that means it was just created.
In case you didn't know, a trusted root CA has the ability to create a certificate that is valid for any website or server and your computer won't warn you about it. The Blizzard Agent process can intercept your network traffic, create a forged certificate to allow them to decrypt the traffic, and you will never know about it.
WTF Blizzard?
....
Edit: Comparing this cert (and the slightly different version on Windows), to other CAs, I think Blizzard just installed it in the wrong key store. If this was installed in the Personal or Local Items/login keystore, it would be fine as-is.
Ravinix
To shine some light on why our recent update added the self-signed certificate, the Battle.net team created a post on our forums that you can read here.