marog-pixcells - Fotolia

Flawed GoDaddy security certificates show need for control

Vulnerabilities in digital security certificates highlight the need for organisations to be able to exercise more control over those certificates

The forced revocation of nearly 9,000 security certificates by domain registrar and web hosting company GoDaddy has further underlined the need for organisations to have better control, say industry experts.

A Secure Sockets Layer certificate (SSL certificate) is a small data file installed on a web server that allows for a secure connection between the server and a web browser.

SSL certificates are issued from a trusted certificate authority (CA), but a bug affecting GoDaddy’s domain validation processing system resulted in 8,850 certificates being issued without proper domain validation, according to GoDaddy senior internet product and technology leader Wayne Thayer.

GoDaddy was alerted to the problem by Microsoft and began revoking the affected certificates after fixing the domain validation system, he said in a blog post.

According to Thayer, the bug was introduced to GoDaddy’s validation code in July 2016 and was caused by the validation process completing successfully even if the control check returned a 404 (not found) code.

Before the bug was introduced, the domain validation process would complete only if it received an HTTP 200 (success) code.

“We have re-verified domain control on every certificate issued using this method of validation in the period from when the bug was introduced until it was fixed,” Thayer wrote.

Additional code changes were deployed to prevent the re-issuance of certificates using cached and potentially unverified domain validation information, he said.

“However, prior to identifying and shutting down this path, an additional 101 certificates were reissued using such cached and potentially unverified domain validation information, resulting in an overall total of 8,951 certificates that were issued without proper domain validation as a result of the bug,” he wrote.

Thayer said GoDaddy was not aware of “any malicious exploitation of this bug to procure a certificate for a domain that was not authorised”.

Read more about digital certificates

  • Online firms are being urged to reduce their dependency on single certificate authorities by automating backup processes.
  • Even though 90% of security professionals believe a leading CA will be compromised in next two years, only 13% have existing automation to deal with that happening.
  • Digital certificates are an increasingly important topic of interest in the security community, and an area of opportunity for innovative attackers.
  • Errors are bound to occur when SSL certificate management is handled manually. Learn how to avoid these common mistakes.

Kevin Bocek, chief cyber security strategist at security firm Venafi, said the incident at GoDaddy was not an isolated one for the CA industry. “Recently, an error by GlobalSign locked out traffic to its customers’ websites for days,” he said.

Tust in digital certificates enables the global economy and affects every internet user, business and government, said Bocek, but businesses rely on manual methods to manage them.

“To protect your business, you must know the location of every certificate in use and be able to replace any of them instantly,” he said. “As the use of cloud, mobile and IoT [internet of things] devices drives an explosion in demand for digital certificates, businesses need to be prepared to respond to an increase in errors and security compromises from certificate authorities.”

Tim Bedard, director of digital trust analytics at Venafi, said the issue at GoDaddy foreshadowed much larger certificate authority issues on the horizon for every organisation.

Bedard suspects this incident may be public evidence of a larger DevOps and FastIT issue. “We know it’s tough for organisations to meet DevOps SLAs [service level agreements] and be secure at the same time,” he said. “As a result, many organisations take shortcuts with certificates in their DevOps development, test and production. It is entirely possible that time pressures introduced this security certificate vulnerability.

“Organisations often don’t have the visibility they need to solve problems like this and, as a result, they cannot respond in a timely fashion. Quite often, they can’t revoke and replace faulty certificates quickly. In fact, most organisations replace certificates manually, one at a time – a process that is insecure, lengthy and resource intensive.

“Security issues like this negatively impact any business with an online presence, and the weaker their cryptographic risk posture, the greater the negative impact.”

Read more on Privacy and data protection