Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bug The Internet Communications Encryption Network Networking Security

Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com) 33

msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. "GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process," Thayer said in a statement. "The bug caused the domain validation process to fail in certain circumstances." GoDaddy said it was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.
This discussion has been archived. No new comments can be posted.

Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates

Comments Filter:
  • by Anonymous Coward

    Hard to believe anyone still uses GoDaddy for anything at all.

    • I've had luck hosting my website with them for a good 15 years. Of course I don't do ecommerce and my needs aren't super complex. Their prices have been okay and I've had very little site downtime.

      If you need help, though .... well ... I'm glad I've not needed to call them more than about twice in all that time.

      • by dgatwood ( 11270 )

        I tried hosting a site with them, and found that all the stupid WordPress hosting on the same site resulted in horribly inconsistent performance, with requests frequently taking only two or three seconds to send back the data, but waiting twenty or thirty seconds to *start* sending data.

        I asked them to move me to a server that was less overloaded with bloated WP instances, since my site was a trivial static content site. They said no. I pulled the plug and got a refund.

        To make a long story short, after tr

        • The moral of the above story: A mac mini out-performs GoDaddy's web servers.
        • I am using nosupportlinuxhosting, it is adequate for my vanity blog. But then, my last ISP-employed friend just quit. I could have colocated something at her place of employment, but I'd have to be relocating it right now.

  • GoDaddy is HORRIBLE. You've got to be a FOOL to use them as a registrar and the reasons why are not difficult to find.

    But outside EV certificates everyone should be using Let's Encrypt certificates. They are trivial to install, secure and renewals can be fully automated. On top of all that they are free. Anyone buying non-EV certificates is neither cost conscious nor values the time of their IT staff.

    • Comment removed based on user account deletion
      • by freeze128 ( 544774 ) on Thursday January 12, 2017 @01:57AM (#53652315)
        Their phone support is poor because they have gotten so large, that they need a giant call center. If you're working on a complex problem with them, you will never get connected to the same agent twice. It's like starting over every single time.

        They offer POP/IMAP mail services that don't exactly adhere to the standards, and have arbitrary limitations, like how many folders you can create.

        I'm sure others will be happy to post other GoDaddy nightmares.
    • But outside EV certificates everyone should ...

      What should everyone inside EV certificates do?

    • by Anonymous Coward

      Let's Encrypt?

      Are you referring to the same Let's Encrypt that accidentally disclosed over 7600 of its users' email addresses during a mass mailing [slashdot.org]?

      That sort of mistake is a pretty big fuck up for any organization, and it's especially terrible for one that's supposed to be focusing on security-related matters.

    • "But outside EV certificates everyone should be using Let's Encrypt certificates. They are trivial to install, secure and renewals can be fully automated. On top of all that they are free. Anyone buying non-EV certificates is neither cost conscious nor values the time of their IT staff."

      There are other low-maintenance ways to get certificates, and they don't require you to put all of your trust in one organisation who has no obligations to you.

      For all internal uses, we use an internal CA that will automatic

  • Their domain validation process (as of yesterday) is sheer torture.
    It involves making changes to your DNS or your web site - something which, in a corporate environment, is far from trivial: change requests, etc.
    Oh , and if your domain is a third- or fourth-level domain (like whatever.co.uk or someschool.k12.ca.us) it is a complete FAIL.

Technology is dominated by those who manage what they do not understand.

Working...