Battle.net users are concerned over a security flaw that may not exist

Battle.net is back

A recent update for the Battle.net client makes a change to how security certificates handled in the app. Blizzard say this change is “consistent with current industry security standards,” but some users are concerned that the increased privileges afforded to the client as part of the update could present a significant security risk.

Check out the best games on PC.

The new update installs a Certificate Authority to your PC, allowing Battle.net to directly validate connections with web servers. This is apparently to address a bug with certain browsers, including Mozilla, being unable to directly communicate with Battle.net for login permissions using public CAs. More mainstream browsers, like Chrome and Firefox, were able to directly handle browser-to-app communication, so this was a non-issue for most users.

However, this new CA was installed to the same location that holds System Root certificates, the same certificates which your OS uses to validate online security. No one seems quite sure about how much permission the Battle.net CA has to make its own certificates. In theory, a malicious or hacked root CA could force your computer to present a fake website – say, your personal bank – as a trusted, secure site.

But it seems any worst case scenario is some unnecessary doomsaying. While the new Battle.net CA is installed to the root location, it doesn’t appear to actually have root permissions. Instead, it’s only able to validate local Battle.net links that point to your own PC, with new keys and certificates generated for each install.

In response to users’ concern over the potential overreach of the new CA (best summed up by this Reddit thread), Blizzard issued a statement via the official forums. “Our recent update to the Blizzard Battle.net desktop app made sure players could properly use features like logging in to Battle.net via a social network, or joining a Blizzard group via an invite link. To facilitate these features, we updated the local webserver to use a self-signed certificate to be consistent with current industry security standards.”