[vbezhenar]

One simple example: battle.net installs its own root certificate to the OS trust store. How do you do that for Linux? There are plenty of distributions with different rules. That would be some work.

[justinclift]

> How do you do that for Linux?

Varies by distro. For example, on my CentOS 7 desktop just now:

  $ cat /etc/pki/ca-trust/source/README
  ...
  QUICK HELP: To add a certificate in the simple PEM or DER
     file formats to the list of CAs trusted on the system:

     Copy it to the /etc/pki/ca-trust/source/anchors/
     subdirectory, and run the update-ca-trust command.

That README is part of the "ca-certificates" package.

As seba_dos1 points out though... why would doing this be needed for a single application?

It should be possible to point the cert validation code at a non-system-wide CA chain.

[seba_dos1]

Why would it do that in the first place?

[vbezhenar]

I think that they're running webserver on localhost and they are connecting to it from their website opened in browser, probably for some integration.

[jandrese]

How is that going to work when most of the users are behind NAT/Firewalls? That's a connection model that just doesn't work well on the modern Internet.

I'm also kind of baffled by the need to install a Blizzard root cert in the cert store. That's normally only necessary for people who are too cheap to get their certs signed (Blizzard makes enough money to do this) or who want to MitM encrypted traffic from your host.

[vbezhenar]

You're opening their website. JavaScript on their website connects to https://localhost:12345 and uses that connection to interact with battle.net software that runs on your PC. NAT/Firewall is not an issue. But that client software have to present valid certificate for that localhost website. To do so, they generate that self-signed certificate at installation time and mark is as trusted, so browsers will accept it. There's no other way to do that, really (well, there's a way actually, but it requires to sign some very non-standard agreements with certificate authorities, I know that Plex does that). Blizzard does not use that certificate to MitM your connection, because they don't send it back, it's generated, stored and used locally.

I don't like this practice too and I would opt-out of that "feature" having the choice. I just used to develop similar software, so I understand why they did that.

[captn3m0]

This is what Plex does: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-...

[jandrese]

Do you actually need a root cert for this? Can't you just install the server's self-signed cert?

[vbezhenar]

I think it's actually self-signed certificate for domain (localbattle.net) which resolves to 127.0.0.1, not CA one, sorry for misinformation.

[xfer]

What's the point of using tls on localhost?

[vbezhenar]

Browsers require it. If you're establishing connection from JavaScript that was loaded on HTTPS website, you can't establish connection to HTTP.

I've heard recently about some movement to allow HTTP connections to localhost, but I did not investigate that thoroughly. TLS should not be needed for localhost, that's true.

[tumetab1]

IMHO the only correct solution is stop doing that.