Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    18,473

    [EN] Thousands of bogus certs issued after GoDaddy bug blunder

    Buggy domain validation forces GoDaddy to revoke certs.

    Flaw unnoticed since July last year.


    Juha Saarinen
    Jan 12 2017



    Domain name registrar and hosting firm GoDaddy has been forced to revoke thousands of digital certificates this week, after a bug allowed them to be issued without proper validation.

    GoDaddy senior internet product and technology leader Wayne Thayer wrote that the company had been made aware of a flaw affecting its domain validation processing system over last weekend.

    The bug was introduced to GoDaddy's validation code back in July 30 last year, meaning a large number of digital certificates were subsequently issued without proper checks, Thayer admitted.

    The bug was discovered by a Microsoft customer, who emailed GoDaddy about the issue last weekend.

    Thayer said the bug was caused by the validation process completing succesfully even if the control check returned a HTTP 404 not found status code, when looking for the presence of data on a web page that demonstrated a customer controlled a domain.

    Prior to the bug being introduced in July, the domain validation process would only complete if it received a HTTP 200 (success) code.

    In total, Thayer said, 8850 certificates were issued without proper domain validation.

    In the time it took for GoDaddy to investigate the bug, the number of problematic certificates went up to 8951 as a further 101 certificates were issued using cached and potentially unverified domain validation inforrmation, Thayer said.

    GoDaddy has started revoking the affected certificates. Thayer said GoDaddy is not aware of "any malicious exploitation of this bug to procure a certificate for a domain that was not authorised."

    http://www.itnews.com.au/news/thousa...blunder-447178

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    18,473

    GoDaddy: Information about SSL bug

    Wayne Thayer | VP and General Manager of Security Products at GoDaddy
    January 10, 2017

    On Friday, Jan. 6, we learned about a bug that impacted our SSL certification validation process. The bug was introduced on July 29, 2016, and impacted less than 2 percent of the certificates issued from July 29, 2016, to Jan. 10, 2017. It affected approximately 6,100 customers. The software bug that created the issue has been remedied. We continue to closely monitor the system. We will revoke these certificates at 9 p.m. (PST) Jan. 10, 2017. We are actively working with our customers to reissue their SSL certificates.

    GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. The bug caused the domain validation process to fail in certain circumstances.

    In a typical process, when a certificate authority, like GoDaddy, validates a domain name for an SSL certificate, they provide a random code to the customer and ask them to place it in a specific location on their website. When their system searches and finds the code, the validation is complete.

    However, when the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found.

    Instructions for affected GoDaddy SSL customers

    For customers who were impacted, we have already submitted a new certificate request on your behalf at no additional cost. You simply need to log in to your GoDaddy account; once there, go to your SSL Panel and initiate the certificate process.

    This process will be identical to the process you followed when your previous certificates were issued. The SSL Panel provides information and instructions that should allow you to easily process the certificate online. The time it takes for a new certificate to issue will vary depending on each customer’s circumstances, but please know we are working diligently to get all new certificates issued as quickly as possible.

    We deeply apologize for the inconvenience to our customers.

    Since 2004, we’ve issued nearly 10 million certificates. This is the first time we’ve experienced an issue of this nature, and although only a small fraction of our certificate customers were impacted, we take the impact seriously.


    SSL bug FAQ

    What is the specific problem with the SSL certificates, and has the problem been fixed?

    Due to a software bug that GoDaddy inadvertently introduced during a routine code change intended to improve our certificate issuance process, the domain validation process for a small percentage of our recently issued certificates failed. In accordance with industry standards as a Certificate Authority, the potentially impacted certificates were revoked as a precautionary measure (effective 9 p.m. (PST) January 10). The software bug that created the issue has been remedied. We continue to closely monitor the system.

    What does it mean for a website when its certificate is revoked? Will the website go offline?

    The website will not go offline; it will continue to resolve, even though the certificate is revoked. Visitors to a website with a revoked certificate might see error messages and/or warnings, which are issued by the browser used by the website visitor (e.g., Chrome, Firefox, Safari, IE, etc.). However, if a new certificate is obtained and installed before the existing certificate is revoked, visitors to the website will not see any error messages/warnings.

    How do impacted customers obtain a new certificate for their website, and how long will it take?

    For impacted customers, we have already submitted a new certificate request on their behalf at no additional cost. Those impacted customers simply need to log in to their GoDaddy account at www.godaddy.com. Once there, go to the SSL Panel and initiate the certificate process.

    This process will be identical to the process they followed when their previous certificates were issued. (If a customer has more than one revoked certificate associated with their customer account, they will be able to initiate the certificate process for each domain within the SSL Panel.) The SSL Panel provides helpful information and instructions that should allow customers to easily process the certificate online.

    The time it takes for a new certificate to issue will vary depending on the customer’s circumstances, but please know we are working diligently to get all new certificates issued as quickly as possible.

    Does revocation of my certificate impact the security of visitors to my website?

    Not in this case. Although the certificate has been revoked, and various browsers might issue a warning message, revocation of the certificate does not eliminate encryption and other security measures enabled by the certificate.

    Was my website misused by an unknown third party?

    We are unaware of any customer websites being misused as a result of the software bug.

    How will I know when a new certificate has been issued?

    We will send a notification to the customer via email.

    What additional steps must a customer take after the new certificate is issued?

    Customers whose websites are hosted at GoDaddy do not need to do anything once the new certificate is issued; GoDaddy will handle the installation of the new certificate on the customer’s website. However, those customers whose sites are hosted elsewhere will need to install the new certificate on their websites once they are notified it is available.

    https://www.godaddy.com/garage/godad...about-ssl-bug/

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •