GoDaddy revokes nearly 9,000 SSL certificates issued without proper validation

A bug in the CA's domain validation system could have allowed attackers to obtain certificates without authorization

GoDaddy, one of the world's largest domain registrars and certificate authorities, revoked almost 9,000 SSL certificates this week after it learned that its domain validation system has had a serious bug for the past five months.

The bug was the result of a routine code change made on July 29 to the system used to validate domain ownership before a certificate is issued. As a result, the system might have validated some domains when it shouldn't have, opening the possibility of abuse.

Industry rules call for certificate authorities to check if the person requesting a certificate for a domain actually has control over that domain. This can be done in a variety of ways, including by asking the applicant to make an agreed-upon change to the website using that domain.

Some CAs ask certificate applicants to create a publicly accessible file with a unique code or token on their web server at a predetermined location. In GoDaddy's case, the company asked applicants to place a file with the name <code>.html -- where the code is a unique random alphanumeric one -- in their web server's root folder.

Prior to the introduction of the bug, the CA's automated domain validation system tried to access this agreed-upon file on the applicant's web server via HTTP or HTTPS. If the server responded with HTTP status code 200 (success) the validation tool looked for the code inside the response body and validated the domain.

The bug caused the system to ignore the HTTP status code and this was problematic because many web servers are configured to return the original requested URL inside the body of 404 (not found) errors. And since the requested URL contains the secret code in the form of the file name, GoDaddy's system validated domain names even if the file itself was actually missing from the server.

This problem had an impact on less than 2 percent of certificates issued since the bug was introduced and affected around 6,100 customers, Wayne Thayer, vice president and general manager of security products at GoDaddy, said in a blog post Tuesday.

However, in a message to Mozilla's security policy mailing list Wednesday, Thayer said that the company revoked a total number of 8,951 certificates for which it couldn't re-validate the domains because the validation files were missing.

The owners of these certificates will get replacement ones for free, but they need to log into their GoDaddy accounts and initiate the certification process from the SSL panel.

If malicious attackers had knowledge of this issue, they could have obtained fraudulent certificates for domain names they don't own or control. According to Thayer, the company is currently unaware of any incident where this bug was exploited to obtain certificates without authorization.

The issue was initially reported to GoDaddy by Microsoft, one of its resellers, who learned about it from one of its own customers, Thayer said. "The customer who discovered the bug revoked the certificate they obtained, and subsequent certificates issued as the result of requests used for testing by Microsoft and GoDaddy have been revoked."

One user on the Mozilla mailing list pointed out that even without this bug, GoDaddy's domain validation implementation would still be vulnerable because some web servers are configured to respond with HTTP status code 200 even when the requested resource doesn't exist.

On Wednesday, GoDaddy decided to completely stop using this method of file-based domain control validation, but it's not clear how many other CAs are using similar validation methods that might allow attackers to obtain certificates for domains they don't own.

The CA/Browser Forum, an organization that creates the regulations governing certificate issuance, has been aware of this issue since at least April last year. It has drafted new rules according to which the secret codes used to validate domains must not appear in the requests used by CAs to retrieve the files or web pages containing them. These updated rules will go into effect on March 1st.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?