Thousands of SSL certificates have been revoked by domain registrar and hosting firm GoDaddy after it was discovered a bug had led to them being incorrectly issued.
The error, which meant certificates had been issued without the proper checks and authorisation, had been present in the company's code for around six months before being pointed out by a customer.
The issue has now been fixed, the company stated, but the bug allowed 8,850 faulty certificates to be issued prior to its detection. These certificates have now been revoked and the code has been changed to ensure they are not re-issued.
"While we are confident that we have completely resolved the problem, we are watching our system closely to ensure that no more certificates are issued without proper domain validation," said GoDaddy's senior internet product and technology leader, Wayne Thayer. "We will take immediate action and report any further issues if found."
"A full post-mortem review of this incident will occur and steps will be taken to prevent a recurrence, including the addition of automated tests designed to detect this type of scenario. If more information about the cause or impact of this incident becomes available, we will publish updates to this report," he added
The issue stemmed from an error in the validation process, Thayer wrote as part of a post announcing the problem. This error resulted in the verification system returning a positive result, even if it came back with a HTTP 404 status code, rather than the HTTP 200 code which designates a successful check.
"We are currently unaware of any malicious exploitation of this bug to procure a certificate for a domain that was not authorised," Thayer concluded.
