GoDaddy revokes thousands of SSL certificates due to code bug

Six-month-old error led to almost 9,000 certificates being incorrectly issued

Bug bounty

Thousands of SSL certificates have been revoked by domain registrar and hosting firm GoDaddy after it was discovered a bug had led to them being incorrectly issued.

The error, which meant certificates had been issued without the proper checks and authorisation, had been present in the company's code for around six months before being pointed out by a customer.

Advertisement - Article continues below

The issue has now been fixed, the company stated, but the bug allowed 8,850 faulty certificates to be issued prior to its detection. These certificates have now been revoked and the code has been changed to ensure they are not re-issued.

"While we are confident that we have completely resolved the problem, we are watching our system closely to ensure that no more certificates are issued without proper domain validation," said GoDaddy's senior internet product and technology leader, Wayne Thayer. "We will take immediate action and report any further issues if found."

"A full post-mortem review of this incident will occur and steps will be taken to prevent a recurrence, including the addition of automated tests designed to detect this type of scenario. If more information about the cause or impact of this incident becomes available, we will publish updates to this report," he added

Advertisement
Advertisement - Article continues below

The issue stemmed from an error in the validation process, Thayer wrote as part of a post announcing the problem. This error resulted in the verification system returning a positive result, even if it came back with a HTTP 404 status code, rather than the HTTP 200 code which designates a successful check.

"We are currently unaware of any malicious exploitation of this bug to procure a certificate for a domain that was not authorised," Thayer concluded.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020