← GoDaddy cases
Bugzilla #1484766
Certificate Misissuance
GoDaddy: Random Value Vulnerability in Domain Validation Method
RESOLVED
FIXED
GoDaddy
AI Summary
GoDaddy identified a vulnerability in their domain validation method that allowed for the issuance of certificates without proper verification. This issue, introduced in November 2014, affected 865 certificates. Upon discovery, GoDaddy promptly revoked all affected certificates within 24 hours and has since improved their incident management processes to prevent similar occurrences in the future. The vulnerability was due to an oversight in token verification, which has since been addressed.
Chronology
- Exploit issue surfaced as possible revocation event.
- All identified certificates revoked.
- Further certificates identified and revoked.
Participants
Wayne Thayer
Daymion Reynolds
External References
Similar Local Cases
GoDaddy: Improper DER results in failure to comply with RFC 5280 - Invalid characters in PrintableString
Hongkong Post / Certizen: Failure to report misissuance
DigiCert: Domain validation skipped
GoDaddy: Misissuance of Cross Signed Certs
Asseco DS / Certum: Non-BR-Compliant Issuance - Debian Weak Keys
GoDaddy: Edge Case for Data Reuse Outside of Timeframes
GoDaddy: Issued EV Wildcard Certificate
SECOM: Undisclosed intermediate certificates