Massive security problem on login server

When people are logging in to any blizzard game the login server is using a very old and insecure cipher TLS_RSA_WITH_AES_256_CBC_SHA.
The problem with this is the following.
the lack of Diffie hellman means that the sessions can be archived and when the certificate gets cracked it’s possible to read all the data that was sent.
AES in CBC mode is not secure because of the way it is standardized, it’s possible to reconstruct the original data.
SHAR-1 is not secure because of the length is not long enough, so it’s possible to send different data that would still match the hash.

Blizzard response to this was
Note that the ciphers currently used on the login servers are by design as certain third-party partner services require those ciphers in order to function.
Wich does not hold any water due to the TLS specification
Client hello
cipher_suites
This is a list of the cryptographic options supported by the client, with the client’s first preference first. If the session_id field is not empty (implying a session resumption request), this vector MUST include at least the cipher_suite from that session. Values are defined in Appendix A.5.
And
Server Hello
cipher_suite
The single cipher suite selected by the server from the list in ClientHello.cipher_suites. For resumed sessions, this field is the value from the state of the session being resumed.

Witch means that the server can see the supported list of cipher that the client supports and most clients support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 The thing is that the server can use TLS 1.3 but blizzard will not make TLS 1.2 safe.
Everybody’s password is at risk of getting compromised due to blizzard is refusing to fix TLS 1.2

1 Like

Their response was based on the fact that they have to keep in mind compatibility between multiple systems of which some are not managed/developed by themselves, in other words third-party services. If the system can’t communicate with those third party services, they can’t provide their services.

There’s only 2 solutions for this:

  1. Doing a rework of the entire infrastructure, so they no longer rely on third party services.
  2. Pressure their partners about updating their systems to support more secure cipher suites.

Both of which would take a lot of time to realize.
I understand your scepticism, but you’ve had a first-line support employee explain what complications cause their System Administrators and Developers be unable to comply to your (unnecessarily high) standards.

Server compatibility first, client preference second.
Keep in mind that this is also likely to consist of certain legacy support features/services.

Just use a unique/complicated password, frequently update your password, use a VPN with additional encryption, maintain a secure local environment and your major security concern is no more than a minor inconvenience.

The response I got from blizzard was from security@blizzard There is a thread option Blizzard only needs to add TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 to the supported list of ciphers. battlenet app and the games all have that cipher is the TLS client hello. So the new clients can use better encryption.
The server is choosing the best cipher that is configured and is first in the client hello cipher list.
There is a very good reason why TLS 1.3 have removed so many ciphers.
A VPN will not work. I don’t know of a VPN provider that has an exit node in AS57976. The VPN I use Cloudflare WARP also have problems with the battlenet app and the AS path to blizzard is AS13335 AS1299 AS57976 so the transit provide can save the session and decrypt them later due to there re no DH in the cythers

massive security problem does not happen in offline.

they reap what they saw. (or whatever the a/e form of the word)

Today I implemented TLS1.2 with secure ciphers. I can no longer login to battle.net. I am clear that a secure computer is more important than any game. Bye bye Blizzard!

1 Like