[vbezhenar]

You're opening their website. JavaScript on their website connects to https://localhost:12345 and uses that connection to interact with battle.net software that runs on your PC. NAT/Firewall is not an issue. But that client software have to present valid certificate for that localhost website. To do so, they generate that self-signed certificate at installation time and mark is as trusted, so browsers will accept it. There's no other way to do that, really (well, there's a way actually, but it requires to sign some very non-standard agreements with certificate authorities, I know that Plex does that). Blizzard does not use that certificate to MitM your connection, because they don't send it back, it's generated, stored and used locally.

I don't like this practice too and I would opt-out of that "feature" having the choice. I just used to develop similar software, so I understand why they did that.

[captn3m0]

This is what Plex does: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-...

[jandrese]

Do you actually need a root cert for this? Can't you just install the server's self-signed cert?

[vbezhenar]

I think it's actually self-signed certificate for domain (localbattle.net) which resolves to 127.0.0.1, not CA one, sorry for misinformation.

[jandrese]

That's much less troubling. It's much harder to engage in shenanigans in that case.

[xfer]

What's the point of using tls on localhost?

[vbezhenar]

Browsers require it. If you're establishing connection from JavaScript that was loaded on HTTPS website, you can't establish connection to HTTP.

I've heard recently about some movement to allow HTTP connections to localhost, but I did not investigate that thoroughly. TLS should not be needed for localhost, that's true.