GoDaddy revokes thousands of SSL certificates due to code bug

Six-month-old error led to almost 9,000 certificates being incorrectly issued

Bug bounty

Thousands of SSL certificates have been revoked by domain registrar and hosting firm GoDaddy after it was discovered a bug had led to them being incorrectly issued.

The error, which meant certificates had been issued without the proper checks and authorisation, had been present in the company's code for around six months before being pointed out by a customer.

The issue has now been fixed, the company stated, but the bug allowed 8,850 faulty certificates to be issued prior to its detection. These certificates have now been revoked and the code has been changed to ensure they are not re-issued.

"While we are confident that we have completely resolved the problem, we are watching our system closely to ensure that no more certificates are issued without proper domain validation," said GoDaddy's senior internet product and technology leader, Wayne Thayer. "We will take immediate action and report any further issues if found."

Advertisement
Advertisement - Article continues below

"A full post-mortem review of this incident will occur and steps will be taken to prevent a recurrence, including the addition of automated tests designed to detect this type of scenario. If more information about the cause or impact of this incident becomes available, we will publish updates to this report," he added

The issue stemmed from an error in the validation process, Thayer wrote as part of a post announcing the problem. This error resulted in the verification system returning a positive result, even if it came back with a HTTP 404 status code, rather than the HTTP 200 code which designates a successful check.

"We are currently unaware of any malicious exploitation of this bug to procure a certificate for a domain that was not authorised," Thayer concluded.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019