users are concerned over a security flaw that may not exist | PCGamesN users are concerned over a security flaw that may not exist is back

A recent update for the client makes a change to how security certificates handled in the app. Blizzard say this change is “consistent with current industry security standards,” but some users are concerned that the increased privileges afforded to the client as part of the update could present a significant security risk.

Check out the best games on PC.

The new update installs a Certificate Authority to your PC, allowing to directly validate connections with web servers. This is apparently to address a bug with certain browsers, including Mozilla, being unable to directly communicate with for login permissions using public CAs. More mainstream browsers, like Chrome and Firefox, were able to directly handle browser-to-app communication, so this was a non-issue for most users.

However, this new CA was installed to the same location that holds System Root certificates, the same certificates which your OS uses to validate online security. No one seems quite sure about how much permission the CA has to make its own certificates. In theory, a malicious or hacked root CA could force your computer to present a fake website - say, your personal bank - as a trusted, secure site.

But it seems any worst case scenario is some unnecessary doomsaying. While the new CA is installed to the root location, it doesn’t appear to actually have root permissions. Instead, it’s only able to validate local links that point to your own PC, with new keys and certificates generated for each install.

In response to users’ concern over the potential overreach of the new CA (best summed up by this Reddit thread), Blizzard issued a statement via the official forums. “Our recent update to the Blizzard desktop app made sure players could properly use features like logging in to via a social network, or joining a Blizzard group via an invite link. To facilitate these features, we updated the local webserver to use a self-signed certificate to be consistent with current industry security standards.”

Sign in to Commentlogin to comment