A flaw in GoDaddy’s code meant that nearly 9,000 SSL certificates have had to be revoked. Any website affected by the issue will still have working HTTPS encryption, even if the GoDaddy-issued certificate is revoked. However, visitors to the website might see error messages or warnings in their browser until a new certificate is installed. IT security experts from Venafi commented below.
Kevin Bocek, Chief Cybersecurity Strategist at Venafi:
“Unfortunately, this is not an isolated incident for the CA industry: Recently, an error by GlobalSign locked out traffic to their customers’ websites for days and Symantec discovered to be issuing unauthorized certificates. Trust in digital certificates enables the global economy and impacts every Internet user, business, and government but businesses rely on manual methods to manage them. To protect your business you must know the location of every certificates in use and be able to replace any of them instantly. As the use of cloud, mobile, and IoT devices drives an explosion in demand for digital certificates businesses need to be prepared to respond to an increase in errors and security compromises from certificate authorities.”
Tim Bedard, Director of Digital Trust Analytics at Venafi:
“This problem foreshadows much larger certificate authority issues on the horizon for every organisation. I wonder if this is public evidence of a larger DevOps and FastIT issue? We know it’s tough for organisations to meet DevOps SLA’s and be secure at the same time. As a result many organisation take shortcuts with certificates in their DevOps development, test and production. It’s entirely possible that time pressures introduced this security certificate vulnerability.
Organisations often don’t have the visibility they need to solve problems like this and as a result, they cannot respond in a timely fashion. Quite often, they can’t revoke and replace faulty certificates quickly. In fact, most organisations replace certificates manually, one at a time – a process that is insecure, lengthy and resource intensive. Security issues like this negatively impact any business with an online presence, and the weaker their cryptographic risk posture is, the greater the negative impact.”