While the Battle.net app does use TLS 1.2, when you actually make connections to battle.net, the connections themselves are using antiquated hashing algorithms. After starting the battle.net client and connecting, I used Wireshark to find that the app itself was attempting to communicate with 137.221.105.152 - A Blizzard server. If I disable Sha 1 on my system or disable TLS_RSA_WITH_AES_256_CBC_SHA I can no longer connect to battle.net. Blizzard is using vulnerable encryption algorithms as a requirement to connect to battle.net. Firstly, SHA 1 is no longer safe to use. Secondly, pick a better cipher suite for your services. While Microsoft may include them by default in Windows, they consider it up to the end user to secure their communications. I normally only use 4 cipher suites that use GCM and forward secrecy with the SHA-1 hashing disabled (this is different for certificate signatures and SHA-1 is just fine for that). Before I can connect to Battle.net I have to enable vulnerable algorithms (that I previously disabled) which may lead to the compromise of my communications with other systems (since the world doesn’t revolve entirely around Blizzard).
Bottom Line - Get rid of the SHA-1 hashing on 137.221.105.152 - @Blizzard THIS MEANS YOU. If that’s too much to ask for then at least add secure hashing and algorithms for people who want that support (You don’t have to remove the old algorithm but please enable a secure hashing algorithm)
2 Likes
when you made this post, it would’ve been EXTREMELY helpful to include the error code that would appear as a result of SHA1 being disabled on the system, for people like me who were trying to troubleshoot this error. in my case, it was BLZBNTBGS80000011 - I had run a utility meant to increase security in Windows 10/11 by disabling outdated protocols/algorithms/ciphers, and SHA1 was among those things that got disabled by this program (privacy.sexy was the utility, to be exact)
on their website, there’s a toggle to generate a batch script that reverses this, but here’s how you can manually fix it in the registry:
- In regedit, browse to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA
- Change the “DisabledByDefault” DWORD to hexadecimal value “0” - If it does not exist, create a DWORD (32-bit) Value with this name and set this value.
- Start Battle.net, and connectivity should be restored.
Ha, this dude is correct. Blizzard using crappy algorithms TLS_RSA_WITH_AES_256_CBC_SHA Brutal! Time to update Blizzard.
Error i was getting was the following BLZBNTBGS80000011. I use IIS CRYPTO to harden pc/server. i simply added back the cipher.
1 Like
This is my problem too, but unfortunately I can’t change it because I also work on the machine and I don’t want to use 10-year-old, vulnerable ciphers. That’s why I stopped playing WoW at the time. Now I wanted to buy Diablo 4, but in the era of TLS 1.3 I still can’t play blizzard games unfortunately. I will wait until they do it, unfortunately the client is unusable for me.
This is still an issue to this day. I have no idea why they require SHA/SHA-1 to log into their desktop client… They dont use it for their website.