GoDaddy Forced to Revoke Thousands of SSL Certificates

2017-01-18 09:51 Posted by: Judy in News, SSL Go to Comment

The world’s largest domain registrar and web hosting provider GoDaddy has revoked nearly 9,000 SSL certificates as a result of a bug discovered in the validation process. GoDaddy took this as a precautionary measure to protect customers from further potential risks.

Initially introduced on July 29th, 2016 as part of a routine code update, with the purpose of improving its certificate issuance process, the bug is related to a practical demonstration of control used by GoDaddy help a given fully-qualified domain name validate authority and receive a certificate. Like all other SSL certificate providers, GoDaddy requires customers to place the random code it offers at the specified location on their website. Then its system will automatically check the code’s authenticity by sending an HTTP or HTTPS request to the website. Once the code is found, GoDaddy will stop the domain control check and give the website a certificate.

What GoDaddy failed to be aware of is that the library that is used for querying the website and checking for the code, prior to the bug, was configured to return results no matter when the HTTP status code was 200 (success) or not. The end result is: every web server that is configured to incorporate the URL of the request as long as they appear in the body of a 404 (not found) response, is possible to make domain control verification successfully completed.  

But this issue did not draw enough attention until one of GoDaddy’s employees opened the alert email sent by Microsoft on Friday Jan 6th, 2017. Microsoft reported in the email that the certificate requests from one of their customers were affected when the DNS A record of the domain was set to 127.0.1.1. Having been aware of the seriousness of the issue, GoDaddy immediately initiated an investigation and determined within a few hours that the problem was broader in scope. Almost at the meantime, the root cause of the problem was announced to be fixed via a code change.

During the period of the bug being introduced and fixed, an overall total 8951 certificates were sometimes validated when they shouldn’t have been. That is to say, nearly 2% of its customers were potential impacted certificates that need to be revoked and logged to a Google CT log. Thankfully, GoDaddy has efficiently completed this on Jan 10th; it also took a further step to have additional code updates deployed so as to stop the re-issuance certificates from making use of any domain validation information that is cached or potentially unverified.

Just as the VP and general manager of Security Products at GoDaddy Wayne Thayer said in the report, GoDaddy now is confident to claim that the problem has been well resolved, and it is watching the system closely to make sure no more certificates are issued using inappropriate domain validation. If more information about the cause of this incident found, the company promises to publish updates immediately.

However, this is not an isolated incident for CA industry as with the growing trend to switching to HTTPS. Recently, an error by GoblalSign locked out traffic to their customers’ websites for days and Symantec discovered to be issuing unauthorized certificates. Just as an IT security expert from Venafi commented, the global economy gets a lot benefits from trusted digital certificates; as with the rapid growth of cloud computing, there is bound to an explosive demand for digital certificates. Frustratingly, the only way allowing businesses to manage the digital certificates is remaining manual methods. Whether they have be prepared for an increasing number of errors as well as security compromises aroused by certificate authorities? We are doubtful. 

Tagged with:

Related Articles

Intel and Waymo Cooperate on Self-Driving Compute Platform
09/19
On Monday Intel announced a partnership with Alphabet’s self-driving unit Waymo, and said that Intel had collaborated with Alphabet during the phase of designing its compute platform that allows self-driving cars to deal with information in real time.
Baidu Launched ABC Inspire In the Face with Cloud 2.0 Evolution
09/18
China’s tech giant Baidu has announced a new upgrade of ABC Inspire concept and logo at the ABC Summit in Beijing on Sept. 15, 2017, to identify all of its products in big data, cloud computing and artificial intelligence. Additionally, Baidu rolled out an all-inclusive, movable machine at the summit for traditional industries like steel, finance and media, indicating that cloud computing has been a cash cow for Chinese tech companies, especially Baidu, Alibaba and Tencent.
Week 2017/9/11 Top 5 Web Hosting Industry News
09/15
There were many exciting news and events happening in the industry this week, and here we conclude the top 5 for you.
IBM Makes Breakthrough in Commercializing Quantum Computers
09/14
IBM yesterday released a new breakthrough to commercialize quantum computers. In its new method, it simulates those molecules to use quantum computers.
VMware Announced Initial Availability of HCX Technologies
09/13
Virtualization company VMware has unveiled a new way to enable seamless interoperability between public and private cloud infrastructure—the VMware HCX technologies, at the VMworld Europe 2017 conference in Barcelona. Also at the conference, VMware and IBM confirmed the partnership in allowing more than 1,400 enterprises including Honeywell International and Vodafone to tap into IBM Cloud for VMware Solutions.
Comment
Be the first to comment!
About the author
Judy
Views: 32317
Articles: 131
Having been an website editor for web hosting, SSL, SEO, cloud and domain registration for years. Well knowledgeable about online presence creation, optimization and security.

Author's Hot Articles

godaddy
hub

Hot Posts

Service Recommendation

Cloud Hosting
Cloud hosting is the fastest growing hosting solutions in the industry. »
Cloud Storage
Best Cloud Storage are named based on customer and expert reviews. »
SSL
The most popular SSL certificate providers in the industry are here. »
China Web Hosting
Find out a comprehensive evaluation to the host service provider in China. »
bluehost
Chat Advertising cooperation TOP