When people are logging in to any blizzard game the login server is using a very old and insecure cipher TLS_RSA_WITH_AES_256_CBC_SHA.
The problem with this is the following.
the lack of Diffie hellman means that the sessions can be archived and when the certificate gets cracked it’s possible to read all the data that was sent.
AES in CBC mode is not secure because of the way it is standardized, it’s possible to reconstruct the original data.
SHAR-1 is not secure because of the length is not long enough, so it’s possible to send different data that would still match the hash.
Blizzard response to this was
Note that the ciphers currently used on the login servers are by design as certain third-party partner services require those ciphers in order to function.
Wich does not hold any water due to the TLS specification
This is a list of the cryptographic options supported by the client, with the client’s first preference first. If the session_id field is not empty (implying a session resumption request), this vector MUST include at least the cipher_suite from that session. Values are defined in Appendix A.5.
The single cipher suite selected by the server from the list in ClientHello.cipher_suites. For resumed sessions, this field is the value from the state of the session being resumed.
Witch means that the server can see the supported list of cipher that the client supports and most clients support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 The thing is that the server can use TLS 1.3 but blizzard will not make TLS 1.2 safe.
Everybody’s password is at risk of getting compromised due to blizzard is refusing to fix TLS 1.2