: that they re-verified all the initially revoked certificates and removed the ones which passed from the CRL. Update GoDaddy have confirmed When we learned of this issue, we re-validated every affected certificate. If we were unable to properly validate, we revoked the certificate. That is how we got the total of 8,951 revoked certificates.[…]As soon as we discovered the bug, we ran a report to identify every certificate that didn’t fail the domain validation check during the period the bug was active. We then started scanning websites to see which ones were able to re-pass the proper validation check. If they passed, we removed the certificate from the list. If we were unable to revalidate the certificate, we revoked it. If there was any question if the certificate was properly verified, we revoked it. I still find this extremely dubious that they will modify the CRL. On 11th Jan ’17 . GoDaddy offer several means of verifying domain ownership before they will issue a certificate. One of these ways is through HTTP verification: They generate a nonce and you ensure a HTTP request to `yourdomain.com/nonce` responds to their request. What GoDaddy realised was that they had been accepting 404s as well as 200s when using this method, essentially completely invalidating it. To rectify the problem they , sending emails to the requesters saying it had happened. GoDaddy announced they had made a mistake revoked all the certificates they believed were issued this way One of many revocation notification emails we received on the day On the face of it this seems like a sensible and prudent thing to be doing given the nature of their business, and I’m not concerned about how they handled things up to here. What I’m really worried about is what happened next. too Unsure why we had received so many revocation notifications (we issue a lot of certificates for a lot of customers) we called our Premium Account Manager at GoDaddy (we buy a lot of certificates from them) and they explained the situation to us. One of the certificates we were particularly concerned about was a multi-domain certificate, as the customer would not have a fun time re-issuing it (this particular certificate has 29 SANs on it, ). GoDaddy informed us the HTTP verification method was not available at this time, and may not be for up to a few weeks. Instead we would need to go via another method such as DNS change. Accepting that we called our customer to let them know the bad news. you can see it for yourself This is where it gets weird. This certificate was definitely revoked. Browsers complained, and downloading the CRL referenced in the certificate we could plainly see the serial number in the list. I have taken a screengrab from the as well, just in case the results on the page change in the future: crt.sh page crt.sh page showing clearly the revocation and when it happened 30 minutes after giving the bad news to our customer however, we got a follow up call from them to say “thanks very much, that’s all working now.” A bit confused we looked in to it and, indeed, the certificate was no longer revoked! Didn’t appear on the CRL and the sites were working fine. No modification had been made to DNS for any further verification. While the outcome of this is good for our customer, it has a raised a huge concern for me with GoDaddy’s revocation policy. The CRL is supposed to be a one way system, and indeed stating the process cannot be reversed. GoDaddy even publish a policy Revoking your certificate cancels it and immediately removes HTTPS from the website. Depending on your Web host, your website might display errors or become temporarily inaccessible. The process cannot be reversed. SSL I now consider GoDaddys revocation system highly flawed, and will be seeking a new partner for certificates for our clients. If you would like to independently verify this yourself then visit a site using the certificate in question and check the crt.sh revocation record . If anybody in authority would like to dig further I also have all phone calls between and our client recorded as well as the original emails. here here GoDaddy

Google

Mozilla

Too Long; Didn't Read

Questions about cloud security? Get answers here.

GoDaddy Revoked and then Un-Revoked a certificate without request

Too Long; Didn't Read

Companies Mentioned

Simon Green

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

GoDaddy Revoked and then Un-Revoked a certificate without request

Too Long; Didn't Read

Companies Mentioned

Simon Green

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES