back to article GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug

GoDaddy was obliged to revoke thousands of SSL certificates on Tuesday as the result of an unspecified software bug. El Reg learnt of the cock-up from readers affected by the issue, who forwarded notification emails (extract below). Due to a software bug, the recently issued certificate for your domain was issued without …

  1. Alan J. Wylie

    mozilla.dev.security.policy posting

    https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/Htujoyq-pO8/uRBcS2TmBQAJ

    1. Lee D Silver badge

      Re: mozilla.dev.security.policy posting

      They put a line of code in that accepted 404 responses to the "do you own this website" check, such that servers with 404 pages that returned the original request data would successfully validate ownership of any of their domains.

      And it looks like over 8000 "unchecked" certs were issued, including test ones for sites like Microsoft.

      That's a pretty big cock-up.

      And they didn't respond at first because it was just sitting in an email in someone's inbox over Christmas - nice to know they are always ready to respond to serious problems!

      1. Anonymous Coward
        Anonymous Coward

        Re: mozilla.dev.security.policy posting

        My reading of it is that the ~9000 domains were the ones which were re-tested and the file was missing.

        That could be because it was never there in the first place, or it could be that the webmaster (being slightly OCD) cleaned up after the certificate was issued and deleted that file.

        But more seriously was that the issue was first discovered because someone had set their DNS A record to 127.0.0.1 and the verification server evidently had a 404 page that includes the requested URL.

        The verification server checked against itself and accepted its own response. That seems like the biggest cock-up to me.

        (The 'content = URL' component was obviously a seriously dumb choice too).

  2. Korev Silver badge
    Pint

    Is this why This Organ was (is?) showing ssl errors along with a comment about working on it for a day or two?

    A pint for El Reg for finally implementing SSL ->

  3. Drew 11

    And even after this latest cockup Mozilla will refuse to put DANE into Firefox.

    C'mon Reg, name and shame them.

  4. Crazy Operations Guy

    I already beat them to it

    I added GoDaddy's CA to my organization's CRL several months ago, just after StartSSL was shit-canned by the browser manufacturers.

  5. Anonymous Coward
    Anonymous Coward

    Long live the super secure x.509 house of cards circle jerk. None of us are as insecure as all of us.

  6. Anonymous Coward
    Anonymous Coward

    The main thing I was frustrated with ( because I was affected by this personnally ) is the lie over here "An affected website's HTTPS encryption will still work even if its GoDaddy-issued certificate is revoked. "

    A revoked certificate isn't treated as an expired or self-signed cert, thus you just can't ignore the warning and the sites were unavailable completly !

    The other thing is that I received that e-mail around 11pm, giving me an hour an half delay to fix re-issue my certs.

    Oh great, they initialized the process, I just need to perform validation... WRONG.. the generated cert wasn't usable at all. I had to re-generate the CSR and restart the process. It took hours to get the validation going through so I called in and they told me "Systems are performing backups and validation is stuck you have to wait... "

    For these reasons, we're considering to move away from them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon