Web host and internet domain registrar GoDaddy has been forced to revoke thousands of SSL certificates in order to prevent hackers from exploiting a serious security vulnerability that removes HTTPS encryption from websites, meaning that many websites were left unsecure over the holiday period.
GoDaddy is a certificate authority that routinely issues SSL certificates, which are small data files that protect users' data on websites and enable HTTPS encryption. You probably know HTTPS as the little padlock symbol that comes up on the address bar in a web browser indicating that connection to a website is secure. This keeps your financial transactions on websites safe, for example during online shopping.
In a report posted to an online developer group, GoDaddy explained that the security bug was first spotted by a Microsoft customer that was having problems with certificate requests relating to domain validation. The customer told Microsoft, who emailed GoDaddy on 3 January, but due to the holiday season, GoDaddy only picked up the email on 6 January.
The cause of the security vulnerability was a change to GoDaddy's software code that was meant to improve the certificate issuance process. Instead, it caused thousands of SSL certificates to fail to validate domains, which means that the SSL certificates essentially became duds, like a broken lock that looks closed, but has been rendered obsolete. Due to the glitch, HTTP encryption on affected websites could easily be bypassed, which would enable hackers to steal customer data during transactions.
8,850 SSL certificates revoked
GoDaddy says that the error was fixed on 6 January and that it is not aware of any malicious attempts to exploit the security vulnerability. The domain registrar then compiled a list of 8,951 affected certificates by 9 January and began validating their domains.
For those that it could not validate, it decided to revoke the certificates completely as a security measure. The firm was forced to revoke a total of 8,850 SSL certificates, which affected 6,100 customers, but it says that the revoked SSL certificates make up less than 2% of the total number of certificates issued during the period.
Affected GoDaddy customers have been notified and asked to install a free replacement certificate. All defective certificates have since been revoked, which means affected websites are secure and HTTPS encryption is still working, but site visitors will see error messages until the replacement certificate has been installed.
"While we are confident that we have completely resolved the problem, we are watching our system closely to ensure that no more certificates are issued without proper domain validation, and we will take immediate action and report any further issues if found," GoDaddy's VP and general manager of security products Wayne Thayer said in the report.
"A full post-mortem review of this incident will occur and steps will be taken to prevent a recurrence, including the addition of automated tests designed to detect this type of scenario."
New validation requirements to be implemented shortly
In response to comments on the group, Thayer explained that GoDaddy validates SSL certificates by verifying that the domain name of the site matches the one listed in the certificate, and that the certificate is linked to a trusted root certificate in the Java root store. If any of these requirements is not met, the certificate will fail to be validated.
"As soon as we discovered the bug, we ran a report to identify every certificate that didn't fail the domain validation check during the period the bug was active. We then started scanning websites to see which ones were able to re-pass the proper validation check. If they passed, we removed the certificate from the list. If we were unable to revalidate the certificate, we revoked it. If there was any question if the certificate was properly verified, we revoked it," said Thayer.
Any subsequent SSL certificates issued since the incident have been tested using domains registered by Microsoft and GoDaddy employees. GoDaddy also says it is working to implement new requirements from the CA/Browser Forum's Validation Working Group before 1 March.