GoDaddy was obliged to revoke thousands of SSL certificates on Tuesday as the result of an unspecified software bug. El Reg learnt of the cock-up from readers affected by the issue, who forwarded notification emails (extract below). Due to a software bug, the recently issued certificate for your domain was issued without …
They put a line of code in that accepted 404 responses to the "do you own this website" check, such that servers with 404 pages that returned the original request data would successfully validate ownership of any of their domains.
And it looks like over 8000 "unchecked" certs were issued, including test ones for sites like Microsoft.
That's a pretty big cock-up.
And they didn't respond at first because it was just sitting in an email in someone's inbox over Christmas - nice to know they are always ready to respond to serious problems!
My reading of it is that the ~9000 domains were the ones which were re-tested and the file was missing.
That could be because it was never there in the first place, or it could be that the webmaster (being slightly OCD) cleaned up after the certificate was issued and deleted that file.
But more seriously was that the issue was first discovered because someone had set their DNS A record to 127.0.0.1 and the verification server evidently had a 404 page that includes the requested URL.
The verification server checked against itself and accepted its own response. That seems like the biggest cock-up to me.
(The 'content = URL' component was obviously a seriously dumb choice too).
The main thing I was frustrated with ( because I was affected by this personnally ) is the lie over here "An affected website's HTTPS encryption will still work even if its GoDaddy-issued certificate is revoked. "
A revoked certificate isn't treated as an expired or self-signed cert, thus you just can't ignore the warning and the sites were unavailable completly !
The other thing is that I received that e-mail around 11pm, giving me an hour an half delay to fix re-issue my certs.
Oh great, they initialized the process, I just need to perform validation... WRONG.. the generated cert wasn't usable at all. I had to re-generate the CSR and restart the process. It took hours to get the validation going through so I called in and they told me "Systems are performing backups and validation is stuck you have to wait... "
For these reasons, we're considering to move away from them.