GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process.
The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer.
“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.”
Part of the validation process involves registrar’s sending customers via email a validation code that the customer drops onto their site. Thayer explained that the system searches a particular spot for the code in order to complete validation.
“When the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found,” Thayer explained, adding that GoDaddy was not aware of any compromises related to the bug.
The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials.
GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.
“This process will be identical to the process they followed when their previous certificates were issued. (If a customer has more than one revoked certificate associated with their customer account, they will be able to initiate the certificate process for each domain within the SSL Panel.),” Thayer said. “The SSL Panel provides helpful information and instructions that should allow customers to easily process the certificate online.”
Affected websites will still resolve, GoDaddy said, but customers may see untrusted-site error warnings.
Experts, meanwhile, caution that as more Certificate Authorities come online such as Let’s Encrypt, which provides free certs in an automated fashion, that more errors like this one could crop up.
“I only see more of them happening,” said Kevin Bocek, vice president of security strategy at Venafi. “We’re seeing faster and faster certification validation with organizations like Let’s Encrypt turning up the competition [among CAs]. And things like DevOps driving faster certificate issuance. And with organizations moving to the cloud, you’re going to have more machines doing these types of requests for new certificates.
“It’s all software,” Bocek said. “It could all have bugs. In the past year, we’ve seen more and more of these reports and the trend is going to continue.”
Let’s Encrypt has taken great strides toward fulfilling its promise of bringing free encryption and SSL to the web by simplifying and automating the process. Let’s Encrypt isn’t alone; Amazon, Cloudflare and others also offer free SSL certs in one form or another. Let’s Encrypt uses ACME (Automated Certificate Management Environment), an open API, to automate certificate requests and issuance. And it’s working; in October, Mozilla telemetry that was made public showed that for the first time, more than half of all traffic in transit is encrypted.
“There are going to be more demands on CAs and more and more machines doing requests,” Bocek said, adding that while ACME is great for efficiency, it is taking people out of the process. He recommends that organizations familiarize themselves with NIST guidance on preparing for and responding to CA compromises.
“Everyone,” Bocek said, “needs to have a plan and an automated way to get around this.”