GoDaddy took weeks to revoke compromised certificates

Web hosting service provider and domain registrar GoDaddy failed to meet a strict 24-hour deadline to revoke digital certicates compromised in a November hack, taking 14 days instead to cancel them.

Last month, GoDaddy discovered that an unauthorised third-party had accessed its managed WordPress hosting environment, with the attacker using a compromised password for it.

The unauthorised acess led to 457,911 private keys for users' digital certificates being compromised, along with email adddresses and other sensitive data.

Even Let's Encrypt, the non-commercial CA that makes no profit, has prepared for such incidents where huge demand can be placed on them in a 24 hour period: https://t.co/cuRe8CD6At

— Scott Helme (@Scott_Helme) December 10, 2021

GoDaddy is required to act fast in such situations, and cancel compromised certificates in 24 hours.

However, a post-mortem of the incident showed that only 17,300 certificates were revoked three days later (November 20).

It took GoDaddy another 10 days to (November 30) to revoke all the compromised certificates.

In the process, GoDaddy accidentally revoked up to 125,000 rotated certificates due to an "administrative error", and had to pause the cancellation process to reissue them to minimise customer impact.

GoDaddy blamed the delay on having to remediate its managed WordPress hosting environment prior to certificate revocation.

The domain registrar also said its systems were not "able to scale as needed" to handle over 400,000 certificate revocations.

Even if nothing had gone wrong, it would have taken GoDaddy over 50 hours to complete the revocation process.

GoDaddy said it will review the incident, which it has described as serious, and add more nodes to its existing infrastructure to speed up revocation processing.