GoDaddy, one of the world’s largest domain registrars and certificate authorities, revoked almost 9,000 SSL certificates this week after it learned that its domain validation system has had a serious bug for the past five months.
The bug was the result of a routine code change made on July 29 to the system used to validate domain ownership before a certificate is issued. As a result, the system might have validated some domains when it shouldn’t have, opening the possibility of abuse.
Industry rules call for certificate authorities (CAs) to check if the person requesting a certificate for a domain has control over that domain. This can be done in a variety of ways, including by asking the applicant to make an agreed-upon change to the website using that domain.