← GoDaddy cases
Bugzilla #1742657
Certificate Problem Report
GoDaddy: Failure to Revoke Subscriber Certificates within 24 hours
RESOLVED
FIXED
GoDaddy
AI Summary
GoDaddy faced a significant incident where approximately 310,000 subscriber certificates were not revoked within the required 24 hours after the exposure of private keys. This failure violated the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. The incident was triggered by unauthorized access to GoDaddy's Managed WordPress hosting environment, leading to the exposure of subscriber private keys. Although GoDaddy made efforts to revoke the affected certificates, they exceeded the 5-day revocation requirement for a subset of them. A thorough incident report and subsequent updates were provided, detailing the actions taken and the ongoing remediation efforts.
Chronology
- GoDaddy discovers unauthorized access to Managed WordPress hosting.
- Confirmation of exposed subscriber private keys.
- Preliminary incident report posted; revocation efforts ongoing.
- All affected certificates (457,911) revoked.
Participants
Brittany Randall
Ryan Sleevi
Ryan Dickson
Rob Stradling
Jeremy Rowley
External References
Similar Local Cases
GoDaddy: Reported TLS Certificate Private Key Exposure
GoDaddy: OV Documentation Reuse
GoDaddy: Failure to revoke 210 subscriber certificates within 24 hours
DigiCert: SHA-256 hash algorithm used with ECC P-384 key
GoDaddy: Failure to revoke certificate with compromised key within 24 hours
QuoVadis: Failure to revoke certificates with compromised private keys
DigiCert: Failure to find and revoke key-compromised certificates within 24 hours
GoDaddy: failure to revoke underscores