Thousands of bogus certs issued after GoDaddy bug blunder

Domain name registrar and hosting firm GoDaddy has been forced to revoke thousands of digital certificates this week, after a bug allowed them to be issued without proper validation.

GoDaddy senior internet product and technology leader Wayne Thayer wrote that the company had been made aware of a flaw affecting its domain validation processing system over last weekend.

The bug was introduced to GoDaddy's validation code back in July 30 last year, meaning a large number of digital certificates were subsequently issued without proper checks, Thayer admitted.

The bug was discovered by a Microsoft customer, who emailed GoDaddy about the issue last weekend.

Thayer said the bug was caused by the validation process completing succesfully even if the control check returned a HTTP 404 not found status code, when looking for the presence of data on a web page that demonstrated a customer controlled a domain.

Prior to the bug being introduced in July, the domain validation process would only complete if it received a HTTP 200 (success) code.

In total, Thayer said, 8850 certificates were issued without proper domain validation.

In the time it took for GoDaddy to investigate the bug, the number of problematic certificates went up to 8951 as a further 101 certificates were issued using cached and potentially unverified domain validation inforrmation, Thayer said.

GoDaddy has started revoking the affected certificates. Thayer said GoDaddy is not aware of "any malicious exploitation of this bug to procure a certificate for a domain that was not authorised."