c*********e
发帖数: 16335 | 1 Thousands of bogus certs issued after GoDaddy bug blunder
Flaw unnoticed since July last year.
Domain name registrar and hosting firm GoDaddy has been forced to revoke
thousands of digital certificates this week, after a bug allowed them to be
issued without proper validation.
GoDaddy senior internet product and technology leader Wayne Thayer wrote
that the company had been made aware of a flaw affecting its domain
validation processing system over last weekend.
The bug was introduced to GoDaddy's validation code back in July 30 last
year, meaning a large number of digital certificates were subsequently
issued without proper checks, Thayer admitted.
The bug was discovered by a Microsoft customer, who emailed GoDaddy about
the issue last weekend.
Thayer said the bug was caused by the validation process completing
succesfully even if the control check returned a HTTP 404 not found status
code, when looking for the presence of data on a web page that demonstrated
a customer controlled a domain.
Prior to the bug being introduced in July, the domain validation process
would only complete if it received a HTTP 200 (success) code.
In total, Thayer said, 8850 certificates were issued without proper domain
validation.
In the time it took for GoDaddy to investigate the bug, the number of
problematic certificates went up to 8951 as a further 101 certificates were
issued using cached and potentially unverified domain validation
inforrmation, Thayer said.
GoDaddy has started revoking the affected certificates. Thayer said GoDaddy
is not aware of "any malicious exploitation of this bug to procure a
certificate for a domain that was not authorised."
http://www.itnews.com.au/news/thousands-of-bogus-certs-issued-after-godaddy-bug-blunder-447178 |
|
