![]() ![]() Blizzard's does not, so it's not a CA certificate.īlizzard is taking the correct, to my knowledge, approach to the problem they're trying to solve. CA certificates always (must) include a Basic Constraints section with Subject Type=CA ( RFC 5280 4.2.1.9). You can see this in the OP's screenshot too, though it's easiest to confirm the truth of this by comparing to an actual CA certificate. When you look in Certificates (Local Computer), under the folder Trusted Root Certification Authorities, you can find the Blizzard Local Cert, and you can compare it to the CA certs that are on the system. If you want to examine the certificate for yourself, on Windows see How to View Certificates with the MMC Snap-in. This means it is not a CA certificate, and is rather an End Entity certificate (or leaf certificate) for that domain name only. It omits the section called Basic Constraints, and specifies DNS Name=. One can confirm this is a non-CA certificate by examining the cert that gets installed. Why should they create a potential CA when a simple non-CA self-signed cert would work fine They're actually already doing what the OP says they should be doing above: What they're installing is a leaf certificate specifically for the domain. They don't now nor did they previously install a CA certificate. In particular, the certificate that Blizzard installs on the system is not a CA certificate. I hope it's OK to reply to a stickied comment, but there's so much misinformation below. The OP and many comments in the thread contain factual inaccuracies. ![]() To elaborate, there is no privacy or security issue. If this was installed in the Personal or Local Items/login keystore, it would be fine as-is. The Blizzard Agent process can intercept your network traffic, create a forged certificate to allow them to decrypt the traffic, and you will never know about it.Įdit: Comparing this cert (and the slightly different version on Windows), to other CAs, I think Blizzard just installed it in the wrong key store. In case you didn't know, a trusted root CA has the ability to create a certificate that is valid for any website or server and your computer won't warn you about it. The expiration day is December 19th, and since certificates are usually generated for a certain number of years, that means it was just created. I opened Keychain and looked in the System Roots, searched for Blizzard, and sure enough, here it is. I was immediately suspicious, so I checked Activity Monitor and noticed that the Agent process has open file handles to all the Keychain files, most notably to the System Roots Keychain, which holds all the trusted root CA certificates. Original post: While running the updater for HotS this morning I got a strange prompt that Agent wanted to make changes on my computer and needed my admin password. Technically it's incorrect to not set CA:false on this certificate, but in reality it should not allow forged certs in any major browser. In any case it's highly unlike that the OS APIs for certificates on Windows or macOS would allow a certificate to be valid if it was signed by this one. It appears the way to mark a certificate as trusted (for a particular site, not as a CA) may be slightly different on Windows. After extensive discussion, I don't think it's as big a deal as I initially thought. The private key should also be unique on each machine (again, I could be wrong).Įdit 3: I talked to Tavis Ormandy for a long time today. There is no escalation of privileges that I'm aware of, because Agent already gets admin privileges to install and (presumably) the private key requires Administrator/root to extract (although I could be wrong about that). Vandrias Bronze Keeps it Interesting! More Storm League 6ĭooMascarade Mascarade SL 28Įdit 2: TO BE CLEAR THIS IS NOT A SECURITY PROBLEM. Ultraliskhots stormleague and scrimm today |!teams | WORLDCHAMPION | !vid !dnd !MC !maievguide !discord 37 KureGG (NEW !YT vid out) - EU GM SOLO Q it's beeeeeeeeeeeeg 102įanHOTS (RERUN) BRONZE TO GM RETURNS! GOING TO DOC OFFICE NEXT STREAM ON 8/31║ COMPREHENSIVE GRANDMASTER LEVEL HOTS GUIDES ON !Patreon ║ 8.27.23 68īahamutGaming NA Solo SL Heals | !CORSAIR | !Bid4 51 LiquidHasuObs □ stormleague □ !inhouse !youtube 661 Blue Tracker ESPORTS CALENDAR ( LIQUIPEDIA) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |