GoDaddy Forced to Revoke Thousands of SSL Certificates

2017-01-18 09:51 Posted by: Judy in , Go to Comment

The world’s largest domain registrar and web hosting provider GoDaddy has revoked nearly 9,000 SSL certificates as a result of a bug discovered in the validation process. GoDaddy took this as a precautionary measure to protect customers from further potential risks.

Initially introduced on July 29th, 2016 as part of a routine code update, with the purpose of improving its certificate issuance process, the bug is related to a practical demonstration of control used by GoDaddy help a given fully-qualified domain name validate authority and receive a certificate. Like all other SSL certificate providers, GoDaddy requires customers to place the random code it offers at the specified location on their website. Then its system will automatically check the code’s authenticity by sending an HTTP or HTTPS request to the website. Once the code is found, GoDaddy will stop the domain control check and give the website a certificate.

What GoDaddy failed to be aware of is that the library that is used for querying the website and checking for the code, prior to the bug, was configured to return results no matter when the HTTP status code was 200 (success) or not. The end result is: every web server that is configured to incorporate the URL of the request as long as they appear in the body of a 404 (not found) response, is possible to make domain control verification successfully completed.  

But this issue did not draw enough attention until one of GoDaddy’s employees opened the alert email sent by Microsoft on Friday Jan 6th, 2017. Microsoft reported in the email that the certificate requests from one of their customers were affected when the DNS A record of the domain was set to 127.0.1.1. Having been aware of the seriousness of the issue, GoDaddy immediately initiated an investigation and determined within a few hours that the problem was broader in scope. Almost at the meantime, the root cause of the problem was announced to be fixed via a code change.

During the period of the bug being introduced and fixed, an overall total 8951 certificates were sometimes validated when they shouldn’t have been. That is to say, nearly 2% of its customers were potential impacted certificates that need to be revoked and logged to a Google CT log. Thankfully, GoDaddy has efficiently completed this on Jan 10th; it also took a further step to have additional code updates deployed so as to stop the re-issuance certificates from making use of any domain validation information that is cached or potentially unverified.

Just as the VP and general manager of Security Products at GoDaddy Wayne Thayer said in the report, GoDaddy now is confident to claim that the problem has been well resolved, and it is watching the system closely to make sure no more certificates are issued using inappropriate domain validation. If more information about the cause of this incident found, the company promises to publish updates immediately.

However, this is not an isolated incident for CA industry as with the growing trend to switching to HTTPS. Recently, an error by GoblalSign locked out traffic to their customers’ websites for days and Symantec discovered to be issuing unauthorized certificates. Just as an IT security expert from Venafi commented, the global economy gets a lot benefits from trusted digital certificates; as with the rapid growth of cloud computing, there is bound to an explosive demand for digital certificates. Frustratingly, the only way allowing businesses to manage the digital certificates is remaining manual methods. Whether they have be prepared for an increasing number of errors as well as security compromises aroused by certificate authorities? We are doubtful. 

Tagged with:

Related Articles

Week 2017/11/13 Top 5 Web Hosting Industry News
11/17
During this week, there are many exciting or surprising events happening to the large companies in the industry, such as Qualcomm, Google, Alibaba Cloud, Twitter, and so on.
Microsoft Adds Cassandra Support into Cosmos DB, Better Availability Guarantees
11/16
Being a managed DB cloud service, Cosmos DB obtained several updates yesterday, which was purely to enhance its availability for a wider range of users.
50th TOP500 Supercomputer List Released, China and Linux Are Big Winners
11/15
For the first time, China pulls ahead of U.S. in the fiftieth TOP500 list of the fastest supercomputers in the world by a margin of 202 to 143. At the same time, Linux is found completely dominating the supercomputers—all the top 500 world’s fastest supercomputers are running Linux operating system!
Red Hat Enterprise Linux and ARM Finally Meet on A Shipping Product: RHEL for ARM
11/14
After seven years, the promise of running Linux servers on ARM processors finally becomes reality.
Report: China’s Private Cloud Market Remains Dominated By Local Companies
11/13
CCW Research, under the guidance of Institute of Scientific and Technical Information of China (ISTIC), recently unveiled Analysis on Current Situation and Development Trend of China’s Private Cloud Market Over 2016-2017, analyzing definition of private cloud, market pattern in China and the chief players in the market.
Comment
Be the first to comment!
About the author
Judy
Views: 41604
Articles: 146
Having been an website editor for web hosting, SSL, SEO, cloud and domain registration for years. Well knowledgeable about online presence creation, optimization and security.

Author's Hot Articles

godaddy
hub

Hot Posts

Service Recommendation

Cloud Hosting
Cloud hosting is the fastest growing hosting solutions in the industry. »
Cloud Storage
Best Cloud Storage are named based on customer and expert reviews. »
SSL
The most popular SSL certificate providers in the industry are here. »
China Web Hosting
Find out a comprehensive evaluation to the host service provider in China. »
bluehost