GoDaddy has revoked 8850 SSL certificates after the hosting service discovered a bug affecting domain validation.
The bug was born in July 2016, when according to a blogpost by GoDaddy, the company “GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process”. The bug would cause the domain validation process to fail in certain cases. The problem affected over 6000 customers.
The problem was resolved as of 10 Jan and the certificates will now be reissued. Users have been instructed to initiate the new certificate process by going to the SSL panel in their accounts. Visitors to GoDaddy hosted websites may receive error messages from their browsers until the new certificates have been issued.
This is apparently the first time that GoDaddy have experienced such a problem and the company is “unaware of any customer websites being misused as a result of the software bug.”
SSL certificates are used to protect the transmission of private data between computers, often shown as a green padlock icon in the URL bar of many browsers.
Mark James, IT security specialist at ESET told SC Media UK, “If this system is not working but still displays the visual assurance then you may not be as safe as you think you are.”
An insecure certificate can be exploited with a man-in-the-middle attack, wherein an attacker gets in between two communicating computers and harvests the transmitting information: “If an attacker would have found or taken advantage of the GoDaddy issue they could have technically done any of the above. GoDaddy has revoked the certificates to re-issue working ones that will once again enforce its security.”