Domain registrar and certificate authority (CA) giant GoDaddy has been forced to revoke 9000 SSL certificates after discovering that a bug introduced way back in July caused the domain validation process to fail in some cases.
General manager of security products, Wayne Thayer, claimed in a blog post that it found out about the flaw – introduced on 29 July – late last week.
It effectively meant that for 2% of its customers, SSL certs were sometimes validated when they shouldn’t have been.
Thayer explained:
“In a typical process, when a certificate authority, like GoDaddy, validates a domain name for an SSL certificate, they provide a random code to the customer and ask them to place it in a specific location on their website. When their system searches and finds the code, the validation is complete.
However, when the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found.”
The certs were revoked as a precautionary measure and affected customers have been told new ones have been requested at no extra cost. They simply need to log in to their account and begin the certificate process.
The bug, which was introduced during a “routine code change,” has since been fixed.
However, if affected customers don’t change their certificates, visitors to their sites may see error messages and warnings presented by their browser, Thayer explained.
Go Daddy was at pains to point out this was the first such incident in the 13 years it has been issuing certificates, of which there have been roughly 10 million.
However, Venafi chief cybersecurity strategist Kevin Bocek, argued that this is not an isolated incident when looking at the industry as a whole – with similar mistakes by GlobalSign and Symantec both leading to customer disruption.
“Trust in digital certificates enables the global economy and impacts every internet user, business and government but organizations rely on manual methods to manage them. To protect your business you must know the location of every certificates in use and be able to replace any of them instantly,” he added.
“As the use of cloud, mobile and IoT devices drives an explosion in demand for digital certificates businesses need to be prepared to respond to an increase in errors and security compromises from certificate authorities.”