GoDaddy revokes nearly 9,000 SSL certificates issued without proper validation

From InfoWorld: GoDaddy, one of the world’s largest domain registrars and certificate authorities, revoked almost 9,000 SSL certificates this week after it learned that its domain validation system has had a serious bug for the past five months.

The bug was the result of a routine code change made on July 29 to the system used to validate domain ownership before a certificate is issued. As a result, the system might have validated some domains when it shouldn’t have, opening the possibility of abuse.

Industry rules call for certificate authorities to check if the person requesting a certificate for a domain actually has control over that domain. This can be done in a variety of ways, including by asking the applicant to make an agreed-upon change to the website using that domain.

Some CAs ask certificate applicants to create a publicly accessible file with a unique code or token on their web server at a predetermined location. In GoDaddy’s case, the company asked applicants to place a file with the name .html—where the code is a unique random alphanumeric one—in their web server’s root folder.

Prior to the introduction of the bug, the CA’s automated domain validation system tried to access this agreed-upon file on the applicant’s web server via HTTP or HTTPS. If the server responded with HTTP status code 200 (success) the validation tool looked for the code inside the response body and validated the domain.

View: Article @ Source Site