Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com)

← Back to Stories (view on slashdot.org)

Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com)

Posted by BeauHD on Wednesday January 11, 2017 @01:25PM from the time-to-take-action dept.

msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. "GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process," Thayer said in a statement. "The bug caused the domain validation process to fail in certain circumstances." GoDaddy said it was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.

33 comments

Min score:

Reason:

Sort:

Hard to believe by Anonymous Coward · 2017-01-11 13:48 · Score: 1

Hard to believe anyone still uses GoDaddy for anything at all.
1. Re:Hard to believe by chipschap · 2017-01-11 14:00 · Score: 1
  
  I've had luck hosting my website with them for a good 15 years. Of course I don't do ecommerce and my needs aren't super complex. Their prices have been okay and I've had very little site downtime.
  If you need help, though .... well ... I'm glad I've not needed to call them more than about twice in all that time.
2. Re:Hard to believe by dgatwood · 2017-01-11 16:32 · Score: 2
  
  I tried hosting a site with them, and found that all the stupid WordPress hosting on the same site resulted in horribly inconsistent performance, with requests frequently taking only two or three seconds to send back the data, but waiting twenty or thirty seconds to *start* sending data.
  I asked them to move me to a server that was less overloaded with bloated WP instances, since my site was a trivial static content site. They said no. I pulled the plug and got a refund.
  To make a long story short, after trying other shared hosting providers with mostly poor luck, I now have a Mac Mini colocated in a data center in Wisconsin.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
3. Re:Hard to believe by freeze128 · 2017-01-11 18:52 · Score: 1
  
  The moral of the above story: A mac mini out-performs GoDaddy's web servers.
4. Re:Hard to believe by drinkypoo · 2017-01-12 01:15 · Score: 1
  
  I am using nosupportlinuxhosting, it is adequate for my vanity blog. But then, my last ISP-employed friend just quit. I could have colocated something at her place of employment, but I'd have to be relocating it right now.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
No, I don't trust CA's by Anonymous Coward · 2017-01-11 13:53 · Score: 0

I refuse to use a cert signed by idiots.
Forcing https is an attack on our freedom by Anonymous Coward · 2017-01-11 14:04 · Score: 0

You are at the mercy of some corporation to allow you a certificate.
It's a trap.
1. Re: Forcing https is an attack on our freedom by mmell · 2017-01-11 14:49 · Score: 1
  
  I agree. So is forcing vaccination of school children, auto insurance, minimum wage, taxes, selective service registration, . . .
2. Re:Forcing https is an attack on our freedom by CaptainDork · 2017-01-11 15:05 · Score: 1
  
  Our freedoms are documented and a word search for, "certificate," returns null.
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re: Forcing https is an attack on our freedom by Anonymous Coward · 2017-01-11 15:45 · Score: 0
  
  Spoken Like a true Homosexual!
  I am sorry for your non pussy grabbing abilities!
4. Re:Forcing https is an attack on our freedom by Anonymous Coward · 2017-01-11 18:33 · Score: 0
  
  Can't you just create your own CA or use Letsencrypt?
5. Re: Forcing https is an attack on our freedom by dbIII · 2017-01-11 18:37 · Score: 0
  
  It's going to be uuuuge and he's going to cover us with showers of gold.
6. Re: Forcing https is an attack on our freedom by Anonymous Coward · 2017-01-11 23:41 · Score: 0
  
  I would even say Humongous!
7. Re: Forcing https is an attack on our freedom by CaptainDork · 2017-01-12 12:59 · Score: 1
  
  Sorry that button broke back when the comeback for you bubble-gummers was:
  "I'm not gay but my boyfriend is."
  
  --
  It little behooves the best of us to comment on the rest of us.
GoDaddy is HORRIBLE. by rahvin112 · 2017-01-11 14:46 · Score: 1

GoDaddy is HORRIBLE. You've got to be a FOOL to use them as a registrar and the reasons why are not difficult to find.
But outside EV certificates everyone should be using Let's Encrypt certificates. They are trivial to install, secure and renewals can be fully automated. On top of all that they are free. Anyone buying non-EV certificates is neither cost conscious nor values the time of their IT staff.
1. Re: GoDaddy is HORRIBLE. by mmell · 2017-01-11 14:52 · Score: 1
  
  What's so bad about GoDaddy? Except for not having commercials with scantily-clad hotties anymore, that is.
2. Re:GoDaddy is HORRIBLE. by CaptainDork · 2017-01-11 15:09 · Score: 1
  
  But outside EV certificates everyone should ...
  What should everyone inside EV certificates do?
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re:GoDaddy is HORRIBLE. by Anonymous Coward · 2017-01-11 15:27 · Score: 1
  
  Let's Encrypt?
  Are you referring to the same Let's Encrypt that accidentally disclosed over 7600 of its users' email addresses during a mass mailing?
  That sort of mistake is a pretty big fuck up for any organization, and it's especially terrible for one that's supposed to be focusing on security-related matters.
4. Re:GoDaddy is HORRIBLE. by Anonymous Coward · 2017-01-11 18:39 · Score: 0
  
  If you are going to hide your email, you probably paid extra for the "privacy" feature to your registrar. If you really care, then you would also pay more for an EV cert. If you have a hobby site, or test site, or messing around, its nice to have free certs.
5. Re: GoDaddy is HORRIBLE. by freeze128 · 2017-01-11 18:57 · Score: 3, Insightful
  
  Their phone support is poor because they have gotten so large, that they need a giant call center. If you're working on a complex problem with them, you will never get connected to the same agent twice. It's like starting over every single time.
  
  They offer POP/IMAP mail services that don't exactly adhere to the standards, and have arbitrary limitations, like how many folders you can create.
  
  I'm sure others will be happy to post other GoDaddy nightmares.
6. Re:GoDaddy is HORRIBLE. by mrbester · 2017-01-11 20:58 · Score: 1
  
  Inside EV certificates it's too dark to decrypt.
  Oh, wait. Wrong joke.
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
7. Re:GoDaddy is HORRIBLE. by CaptainDork · 2017-01-12 03:53 · Score: 1
  
  It was the right joke.
  Thanks.
  
  --
  It little behooves the best of us to comment on the rest of us.
8. Re:GoDaddy is HORRIBLE. by Anonymous Coward · 2017-01-12 05:08 · Score: 0
  
  Crying about your email address is like crying about your social security number. It's not a secret, and it isn't meant to be.
9. Re: GoDaddy is HORRIBLE. by buchanmilne · 2017-01-12 06:23 · Score: 1
  
  "But outside EV certificates everyone should be using Let's Encrypt certificates. They are trivial to install, secure and renewals can be fully automated. On top of all that they are free. Anyone buying non-EV certificates is neither cost conscious nor values the time of their IT staff."
  There are other low-maintenance ways to get certificates, and they don't require you to put all of your trust in one organisation who has no obligations to you.
  For all internal uses, we use an internal CA that will automatically renew renewal requests signed by the key of a currently-valid but almost-expiring cert, and an scep client run from cron that will check all certs and enroll for renewals (as well as enroll for the initial cert).
  For public certs the certs we renewed before letsencrypt went live are still valid, so for non-security-critical ones we may consider letsencrypt a month or two before those certs expire.
10. Re: GoDaddy is HORRIBLE. by Anonymous Coward · 2017-01-12 09:41 · Score: 0
  
  Aside from woeful customer support, over provisioned servers, and tasteless adversing? Lets see, how about actively lobbing for Internet censorship though the SOPA and E-PARASITE acts?
11. Re:GoDaddy is HORRIBLE. by Anonymous Coward · 2017-01-12 09:47 · Score: 0
  
  Having a public email address is hardly a security-related concern. Most of those addresses were already published in the WHOIS database anyway.
Cohen's story is falling apart by Anonymous Coward · 2017-01-11 18:51 · Score: 0

Cohen says he's never been to Prague and as proof offers his passport to Steven Bannon (Trump's man) who says he saw no Prague stamp. He then showed pages via video call to Yahoo news.
"It appeared to show stamps dated from 2009 until late 2016 from visits to France, Hong Kong, Macau, Scotland, Anguilla, St. Maarten, St. Bart’s, Georgia, Kazakhstan and Turkey. The trips to Georgia and Kazakhstan all seemed to be dated from 2010 to 2012. Cohen promised to allow Yahoo News to examine the document at Trump’s press conference on Wednesday."
No Italy stamp. He said he'd visited Italy in July, yet no Italy stamp, and the France stamp is late 2016, there's no other stamp that could be his claimed Italy trip.
Everyone is at risk, not just GoDaddy customers by Anonymous Coward · 2017-01-11 20:42 · Score: 0

The article makes it sound like this is a security issue affecting only GoDaddy's customers, but that's not how SSL certificates work. If there is a failure of GoDaddy's domain validation process, it does not mean that third parties can obtain false certificates for the domains of GoDaddy customers, it means that GoDaddy customers can obtain false certificates for the domains of third parties.
And since anyone can become a GoDaddy customer, effectively anyone can obtain a false certificate for anyone else's domain. For example, if I wanted a false certificate for google.com, I would become a GoDaddy customer and request a certificate for google.com. GoDaddy would send me a validation code and look for it on the google.com web server. If GoDaddy's system will then "provide a positive result to the search, even if the code was not found", as they say in their statement, it means I will be granted the certificate for google.com.
If there is some aspect of the bug that makes this attack not work, GoDaddy's statement completely fails to explain it.
1. Re:Everyone is at risk, not just GoDaddy customers by Anonymous Coward · 2017-01-11 21:33 · Score: 0
  
  Don't you mean TLS? ;o)
No matter your opinion of GoDaddy... by Anonymous Coward · 2017-01-12 03:20 · Score: 0

...this is the right way to respond to a problem. Unlike virtually any other tech company in the media lately, they found a problem, fixed it, announced what had happened, and are taking proactive remedial measures to make things right.
If only all companies would do this.
Sheer Torture by 0xG · 2017-01-13 04:29 · Score: 1

Their domain validation process (as of yesterday) is sheer torture.
It involves making changes to your DNS or your web site - something which, in a corporate environment, is far from trivial: change requests, etc.
Oh , and if your domain is a third- or fourth-level domain (like whatever.co.uk or someschool.k12.ca.us) it is a complete FAIL.

--
A pox on web designers who feel that window.innerWidth == screen.availWidth