Godaddy security incident
351 views
Skip to first unread message
Hanno Böck
Nov 23, 2021, 7:08:40 AM11/23/21
to dev-secur...@mozilla.org
Hi,
According to this
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
there was a security incident at Godaddy. Among other things it lists
this:
"•For a subset of active customers, the SSL private key was exposed. We
are in the process of issuing and installing new certificates for those
customers."
This seems relevant for the TLS community and is a bit unclear.
According to the Baseline Requirements CAs are required to revoke
certificates when they become aware of compromised keys within 24
hours. However this statement only mentions that they're issuing and
installing new certificates (which from a risk point of view is
irrelevant) and says nothing about revocation.
--
Hanno Böck
https://hboeck.de/
According to this
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
there was a security incident at Godaddy. Among other things it lists
this:
"•For a subset of active customers, the SSL private key was exposed. We
are in the process of issuing and installing new certificates for those
customers."
This seems relevant for the TLS community and is a bit unclear.
According to the Baseline Requirements CAs are required to revoke
certificates when they become aware of compromised keys within 24
hours. However this statement only mentions that they're issuing and
installing new certificates (which from a risk point of view is
irrelevant) and says nothing about revocation.
--
Hanno Böck
https://hboeck.de/
Hanno Böck
Nov 23, 2021, 7:21:22 AM11/23/21
to dev-secur...@mozilla.org
And I just happened to notice that the webpage of the CA/Browser Forum
has a revoked certificate
has a revoked certificate
Hanno Böck
Nov 23, 2021, 8:22:19 AM11/23/21
to dev-secur...@mozilla.org
On Tue, 23 Nov 2021 13:21:20 +0100
Hanno Böck <ha...@hboeck.de> wrote:
> And I just happened to notice that the webpage of the CA/Browser Forum
> has a revoked certificate
Sorry I hit on send too early.
Hanno Böck <ha...@hboeck.de> wrote:
> And I just happened to notice that the webpage of the CA/Browser Forum
> has a revoked certificate
I found that the cabforum.org web page has a revoked certificate issued
by Go Daddy. So it seems they did revoke certificates *before* actually
issuing and installing new ones. (Which is an issue for their
customers, but it appears they were in line with the baseline
requirements).
Brittany Randall
Nov 23, 2021, 4:55:18 PM11/23/21
to dev-secur...@mozilla.org
We wanted to notify the community that the following bug has been filed on the Mozilla bug list: https://bugzilla.mozilla.org/show_bug.cgi?id=1742657
We
will be monitoring the bug for any questions and comments from the community.
We will be posting a full incident in the coming week and continuing to provide
updates as available.
Best,
Brittany Randall
Alex Cohn
Nov 23, 2021, 5:47:02 PM11/23/21
to Hanno Böck, dev-secur...@mozilla.org
(https://crt.sh/?sha256=
d5aa2ab2b13bcc157931cf5a779bdad694c4a9e26b35f02d2699191d153d8e3c) was
revoked today with reason keyCompromise but was also only issued
2021-11-20, which is three days after GoDaddy discovered the
unauthorized access
(https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm).
The previous cert for cabforum.org
(https://crt.sh/?sha256=2eaf96b667ce8d42c4618b6766361179cf31a464a63832d82d19da8ea819d22c)
was revoked 2021-11-20.
Did GoDaddy start to reissue certs and then discover they hadn't fully
closed attackers' access to their systems?
Alex
Brittany Randall
Nov 23, 2021, 6:04:11 PM11/23/21
to dev-secur...@mozilla.org, Alex Cohn, dev-secur...@mozilla.org, ha...@hboeck.de
Alex - thanks for the question.
No, we can confirm that our systems are still secure and this revocation had nothing to do with unauthorized access to our systems.
We will provide additional details in our formal incident report at bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1742657
Best,Brittany Randall
Reply all
Reply to author
Forward
0 new messages