Web hosting provider GoDaddy has revoked close to 9,000 SSL certificates as a precautionary measure, after discovering a bug in the validation process.
The bug allowed certificates to be validated even if the validation code provided by GoDaddy as the Certificate Authority was not found on the customer’s website, if “certain web server configurations were used,” according to the company.
The bug was introduced during a routine code update on July 29, 2016, and was discovered by the company on Jan. 6, 2017. The company revoked the certificates on Tuesday, and says it has already submitted new certificate requests on behalf of the roughly 6,100 customers affected.
Customers can initiate the certificate process from the SSL Panel in their GoDaddy account. In the meantime, security measures enabled by the certificate, such as encryption, remain in place, though some browsers will apply warnings to affected sites until their certificate is reissued.
“Prior to the bug, the library used to query the website and check for the code was configured to return a failure if the HTTP status code was not 200 (success),” GoDaddy VP and general Manager of Security Products Wayne Thayer writes. “A configuration change to the library caused it to return results even when the HTTP status code was not 200. Since many web servers are configured to include the URL of the request in the body of a 404 (not found) response, and the URL also contained the random code, any web server configured this way caused domain control verification to complete successfully.”
Thayer also said that GoDaddy is not aware of any malicious exploitation of the bug, which affected less than two percent of certificates issued during the period. The company has also re-verified domain control on all certificates issued in the same way and time period. GoDaddy will install reissued certificates to customers whose websites they host, while those using GoDaddy only as a CA will need to install them once notified of their availability.