Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

GoDaddy Revokes Nearly 9,000 SSL Certificates

GoDaddy informed customers this week that it has revoked nearly 9,000 SSL certificates after discovering a software bug that made its domain validation process unreliable.

GoDaddy informed customers this week that it has revoked nearly 9,000 SSL certificates after discovering a software bug that made its domain validation process unreliable.

According to the company, the bug was introduced on July 29, 2016, as part of a routine code change meant to improve the certificate issuance process. GoDaddy learned about the problem from Microsoft on January 6 and revoked the affected certificates on January 10. The certificates will be reissued in the upcoming period.

When it validates a domain name for an SSL certificate, GoDaddy provides the customer a random code and asks them to place it in a specific location on their website. The validation process is complete when GoDaddy’s systems find the code on the customer’s website.

As a result of the bug introduced in July, if the web server was configured in a certain way, the system validated domains even when the code was not found.

“Prior to the bug, the library used to query the website and check for the code was configured to return a failure if the HTTP status code was not 200 (success). A configuration change to the library caused it to return results even when the HTTP status code was not 200,” explained Wayne Thayer, VP and General Manager of Security Products at GoDaddy. “Since many web servers are configured to include the URL of the request in the body of a 404 (not found) response, and the URL also contained the random code, any web server configured this way caused domain control verification to complete successfully. “

GoDaddy has identified 8,951 certificates issued without proper domain validation, which represents roughly 2 percent of the total number of certificates issued between July 29, 2016, and January 10, 2017. The web-hosting giant said the incident has affected approximately 6,100 customers.

Impacted users have been offered a new certificate at no cost; a request has already been submitted on their behalf by GoDaddy in their SSL Panel. Affected websites will continue to work and the connections will continue to be encrypted, although web browsers might display warning messages.

GoDaddy said it was not aware of any cases where this bug had been exploited to procure a certificate for an unauthorized domain. Both Google and Mozilla have been notified about the incident.

“Unfortunately, this is not an isolated incident for the CA industry: Recently, an error by GlobalSign locked out traffic to their customers’ websites for days and Symantec discovered to be issuing unauthorized certificates,” said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi.

“This is a clearly a wakeup call for businesses. Trust in digital certificates enables the global economy and impacts every Internet user, business, and government but businesses rely on manual methods to manage them. To protect your business you must know the location of every certificate in use and be able to replace any of them instantly,” Bocek added.

Related Reading: Facebook Launches Certificate Transparency Monitoring Tool

Related Reading: CASC Releases Minimum Requirements for Code Signing Certificates

Related reading: Chrome’s Certificate Transparency to Become Mandatory

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.