Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com)

← Back to Stories (view on slashdot.org)

Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com)

Posted by BeauHD on Wednesday January 11, 2017 @01:25PM from the time-to-take-action dept.

msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. "GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process," Thayer said in a statement. "The bug caused the domain validation process to fail in certain circumstances." GoDaddy said it was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.

17 of 33 comments (clear)

Min score:

Reason:

Sort:

Hard to believe by Anonymous Coward · 2017-01-11 13:48 · Score: 1

Hard to believe anyone still uses GoDaddy for anything at all.
1. Re:Hard to believe by chipschap · 2017-01-11 14:00 · Score: 1
  
  I've had luck hosting my website with them for a good 15 years. Of course I don't do ecommerce and my needs aren't super complex. Their prices have been okay and I've had very little site downtime.
  If you need help, though .... well ... I'm glad I've not needed to call them more than about twice in all that time.
2. Re:Hard to believe by dgatwood · 2017-01-11 16:32 · Score: 2
  
  I tried hosting a site with them, and found that all the stupid WordPress hosting on the same site resulted in horribly inconsistent performance, with requests frequently taking only two or three seconds to send back the data, but waiting twenty or thirty seconds to *start* sending data.
  I asked them to move me to a server that was less overloaded with bloated WP instances, since my site was a trivial static content site. They said no. I pulled the plug and got a refund.
  To make a long story short, after trying other shared hosting providers with mostly poor luck, I now have a Mac Mini colocated in a data center in Wisconsin.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
3. Re:Hard to believe by freeze128 · 2017-01-11 18:52 · Score: 1
  
  The moral of the above story: A mac mini out-performs GoDaddy's web servers.
4. Re:Hard to believe by drinkypoo · 2017-01-12 01:15 · Score: 1
  
  I am using nosupportlinuxhosting, it is adequate for my vanity blog. But then, my last ISP-employed friend just quit. I could have colocated something at her place of employment, but I'd have to be relocating it right now.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
GoDaddy is HORRIBLE. by rahvin112 · 2017-01-11 14:46 · Score: 1

GoDaddy is HORRIBLE. You've got to be a FOOL to use them as a registrar and the reasons why are not difficult to find.
But outside EV certificates everyone should be using Let's Encrypt certificates. They are trivial to install, secure and renewals can be fully automated. On top of all that they are free. Anyone buying non-EV certificates is neither cost conscious nor values the time of their IT staff.
1. Re: GoDaddy is HORRIBLE. by mmell · 2017-01-11 14:52 · Score: 1
  
  What's so bad about GoDaddy? Except for not having commercials with scantily-clad hotties anymore, that is.
2. Re:GoDaddy is HORRIBLE. by CaptainDork · 2017-01-11 15:09 · Score: 1
  
  But outside EV certificates everyone should ...
  What should everyone inside EV certificates do?
  
  --
  It little behooves the best of us to comment on the rest of us.
3. Re:GoDaddy is HORRIBLE. by Anonymous Coward · 2017-01-11 15:27 · Score: 1
  
  Let's Encrypt?
  Are you referring to the same Let's Encrypt that accidentally disclosed over 7600 of its users' email addresses during a mass mailing?
  That sort of mistake is a pretty big fuck up for any organization, and it's especially terrible for one that's supposed to be focusing on security-related matters.
4. Re: GoDaddy is HORRIBLE. by freeze128 · 2017-01-11 18:57 · Score: 3, Insightful
  
  Their phone support is poor because they have gotten so large, that they need a giant call center. If you're working on a complex problem with them, you will never get connected to the same agent twice. It's like starting over every single time.
  
  They offer POP/IMAP mail services that don't exactly adhere to the standards, and have arbitrary limitations, like how many folders you can create.
  
  I'm sure others will be happy to post other GoDaddy nightmares.
5. Re:GoDaddy is HORRIBLE. by mrbester · 2017-01-11 20:58 · Score: 1
  
  Inside EV certificates it's too dark to decrypt.
  Oh, wait. Wrong joke.
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
6. Re:GoDaddy is HORRIBLE. by CaptainDork · 2017-01-12 03:53 · Score: 1
  
  It was the right joke.
  Thanks.
  
  --
  It little behooves the best of us to comment on the rest of us.
7. Re: GoDaddy is HORRIBLE. by buchanmilne · 2017-01-12 06:23 · Score: 1
  
  "But outside EV certificates everyone should be using Let's Encrypt certificates. They are trivial to install, secure and renewals can be fully automated. On top of all that they are free. Anyone buying non-EV certificates is neither cost conscious nor values the time of their IT staff."
  There are other low-maintenance ways to get certificates, and they don't require you to put all of your trust in one organisation who has no obligations to you.
  For all internal uses, we use an internal CA that will automatically renew renewal requests signed by the key of a currently-valid but almost-expiring cert, and an scep client run from cron that will check all certs and enroll for renewals (as well as enroll for the initial cert).
  For public certs the certs we renewed before letsencrypt went live are still valid, so for non-security-critical ones we may consider letsencrypt a month or two before those certs expire.
Re: Forcing https is an attack on our freedom by mmell · 2017-01-11 14:49 · Score: 1

I agree. So is forcing vaccination of school children, auto insurance, minimum wage, taxes, selective service registration, . . .
Re:Forcing https is an attack on our freedom by CaptainDork · 2017-01-11 15:05 · Score: 1

Our freedoms are documented and a word search for, "certificate," returns null.

--
It little behooves the best of us to comment on the rest of us.
Re: Forcing https is an attack on our freedom by CaptainDork · 2017-01-12 12:59 · Score: 1

Sorry that button broke back when the comeback for you bubble-gummers was:
"I'm not gay but my boyfriend is."

--
It little behooves the best of us to comment on the rest of us.
Sheer Torture by 0xG · 2017-01-13 04:29 · Score: 1

Their domain validation process (as of yesterday) is sheer torture.
It involves making changes to your DNS or your web site - something which, in a corporate environment, is far from trivial: change requests, etc.
Oh , and if your domain is a third- or fourth-level domain (like whatever.co.uk or someschool.k12.ca.us) it is a complete FAIL.

--
A pox on web designers who feel that window.innerWidth == screen.availWidth