GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug
Your website will work, but might be riddled with errors
GoDaddy was obliged to revoke thousands of SSL certificates on Tuesday as the result of an unspecified software bug.
El Reg learnt of the cock-up from readers affected by the issue, who forwarded notification emails (extract below).
Due to a software bug, the recently issued certificate for your domain was issued without proper domain validation, and in accordance with industry standards as a Certificate Authority, we will need to revoke your certificate as a precautionary measure. The certificate will be revoked today (January 10) by 9pm Pacific Time. The software bug that created the issue has been remedied. We continue to closely monitor our system.
An affected website's HTTPS encryption will still work even if its GoDaddy-issued certificate is revoked. However, visitors to your website may see error messages or warnings in their browser until a new certificate is installed. GoDaddy, which is issuing these replacement certificates free of charge, apologised to customers for the hassle caused by the slip-up in its notification email.
In a blog post, GoDaddy said the bug was introduced six months ago on July 29 and impacted less than two per cent of the SSL certificates issued from July 29, 2016, to Jan. 10, 2017. Approximately 6,100 customers were affected, it said. That's 8,850 certs, according to GoDaddy security veep Wayne Thayer.
GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. The bug caused the domain validation process to fail in certain circumstances, the CA explains.
“In a typical process, when a certificate authority, like GoDaddy, validates a domain name for an SSL certificate, they provide a random code to the customer and ask them to place it in a specific location on their website,” it said. “When their system searches and finds the code, the validation is complete.
“However, when the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found,” it added. ®
Sponsored: Becoming a Pragmatic Security Leader