GoDaddy Revokes SSL Certificates to Prevent Serious Security Exploit
Wed 18 Jan 2017
Internet domain registration giant and website host, GoDaddy, has been obligated to revoke almost 9,000 SSL certificates in a bid to prevent hackers exploiting a major security flaw. As part of its certificate authorisation, GoDaddy regularly issues SSL certificates – small files, which enable HTTPS encryption ad protect users’ data on websites, such as during financial transactions. However, a Microsoft customer spotted a flaw on January 3rd and emailed the company. Unfortunately, the email wasn’t picked up on until January 6th, by which time it had no choice but to revoke 8,850 certificates to prevent further damage.
A Bug in the System
In a blog post, the company stated that on “Friday, Jan 6th, we learned about a bug that impacted our SSL certification validation process. The bug was introduced on July 29, 2016, and impacted less than 2 percent of the certificates issued from July 29, 2016, to Jan. 10, 2017. It affected approximately 6,100 customers. The software bug that created the issue has been remedied. We continue to closely monitor the system. We will revoke these certificates at 9 p.m. (PST) Jan. 10, 2017. We are actively working with our customers to reissue their SSL certificates. GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. The bug caused the domain validation process to fail in certain circumstances.”
The bug in question was originally introduced to change GoDaddy’s security software coding and improve the process through which certificates were issued. “However, when the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found.”
GoDaddy has notified the affected customers and has offered to install free replacement certificates, stating that “while we are confident that we have completely resolved the problem, we are watching our system closely to ensure that no more certificates are issued without proper domain validation, and we will take immediate action and report any further issues if found. A full post-mortem review of this incident will occur and steps will be taken to prevent a recurrence, including the addition of automated tests designed to detect this type of scenario.”
Comments are closed.