Up to 9,000 SSL certificates have been revoked by GoDaddy as a safety measure after a bug was found in the validation process.
The bug made it possible for the validation of certificates, even where the GoDaddy validation code was not located on the website of the customer (where specific web configurations were inputted).
The bug entered the system in the middle of a routine code update on the 29th July 2016 and was found by the company on the 6th January 2017. On Tuesday of this week GoDaddy began the process of revoking certificates and has now started to submit new requests for customers, totalling submissions on behalf of approximately 6100 affected users so far.
Customers who wish to start the process of requesting new certificates can do so by accessing the SSL Panel inside their GoDaddy account.
Until then, a number of safety measures have been put in place by the certificate – these include, encryption and remain in place, although some browsers will display warnings sites that are affected, until their certificate is re-applied.
“Prior to the bug, the library used to query the website and check for the code was configured to return a failure if the HTTP status code was not 200 (success),” GoDaddy VP and general Manager of Security Products Wayne Thayer writes. “A configuration change to the library caused it to return results even when the HTTP status code was not 200. Since many web servers are configured to include the URL of the request in the body of a 404 (not found) response, and the URL also contained the random code, any web server configured this way caused domain control verification to complete successfully.”
Thayer went on to say that he has no knowledge that the bug, which has caused issues for less than two per cent of certificates issued over the timeframe, has been exploited in devious ways. Additionally, the company has re-verified domain control on all certificates utilised in a similar way within the timeframe. GoDaddy will make sure that certificates, for customers whose websites they host, are re-issued. However customers that use GoDaddy as a CA will need to look out for a notification of the availability of certificates before going ahead with installation.
In December a standardized code signing guideline was made available for CA’s – a first of its kind produced by The Certificate Authority Security Council.