The world’s largest domain registrar and web hosting provider GoDaddy has revoked nearly 9,000 SSL certificates as a result of a bug discovered in the validation process. GoDaddy took this as a precautionary measure to protect customers from further potential risks.
Initially introduced on July 29th, 2016 as part of a routine code update, with the purpose of improving its certificate issuance process, the bug is related to a practical demonstration of control used by GoDaddy help a given fully-qualified domain name validate authority and receive a certificate. Like all other SSL certificate providers, GoDaddy requires customers to place the random code it offers at the specified location on their website. Then its system will automatically check the code’s authenticity by sending an HTTP or HTTPS request to the website. Once the code is found, GoDaddy will stop the domain control check and give the website a certificate.
What GoDaddy failed to be aware of is that the library that is used for querying the website and checking for the code, prior to the bug, was configured to return results no matter when the HTTP status code was 200 (success) or not. The end result is: every web server that is configured to incorporate the URL of the request as long as they appear in the body of a 404 (not found) response, is possible to make domain control verification successfully completed.
But this issue did not draw enough attention until one of GoDaddy’s employees opened the alert email sent by Microsoft on Friday Jan 6th, 2017. Microsoft reported in the email that the certificate requests from one of their customers were affected when the DNS A record of the domain was set to 127.0.1.1. Having been aware of the seriousness of the issue, GoDaddy immediately initiated an investigation and determined within a few hours that the problem was broader in scope. Almost at the meantime, the root cause of the problem was announced to be fixed via a code change.
During the period of the bug being introduced and fixed, an overall total 8951 certificates were sometimes validated when they shouldn’t have been. That is to say, nearly 2% of its customers were potential impacted certificates that need to be revoked and logged to a Google CT log. Thankfully, GoDaddy has efficiently completed this on Jan 10th; it also took a further step to have additional code updates deployed so as to stop the re-issuance certificates from making use of any domain validation information that is cached or potentially unverified.
Just as the VP and general manager of Security Products at GoDaddy Wayne Thayer said in the report, GoDaddy now is confident to claim that the problem has been well resolved, and it is watching the system closely to make sure no more certificates are issued using inappropriate domain validation. If more information about the cause of this incident found, the company promises to publish updates immediately.
However, this is not an isolated incident for CA industry as with the growing trend to switching to HTTPS. Recently, an error by GoblalSign locked out traffic to their customers’ websites for days and Symantec discovered to be issuing unauthorized certificates. Just as an IT security expert from Venafi commented, the global economy gets a lot benefits from trusted digital certificates; as with the rapid growth of cloud computing, there is bound to an explosive demand for digital certificates. Frustratingly, the only way allowing businesses to manage the digital certificates is remaining manual methods. Whether they have be prepared for an increasing number of errors as well as security compromises aroused by certificate authorities? We are doubtful.