GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: star, Assigned: star)
Details
(Whiteboard: [ca-compliance] [dv-misissuance] [ov-misissuance] [ev-misissuance])
Preliminary Incident Report
Summary
On 6/23/2024, GoDaddy received a certificate problem report alerting us to potential concerns with CAA checking. As a result of the certificate problem report investigation, GoDaddy identified a software bug in the CAA process which allowed CAA validation to pass when CAA record values contained variants of the terms 'godaddy.com' or 'starfieldtech.com' rather than the matching the exact term which does not conform to the syntax of ‘issuer-domain-name’ as defined in RFC 8659, section 4.2. Non-conformance with RFC 8659 is a violation of the Baseline Requirements for the Issuance and Management of Publicly -Trusted TLS Server Certificates, section 3.2.2.8, which states "CA MUST retrieve and process CAA records in accordance with RFC 8659 for each dNSName in the subjectAltName extension."
A full incident report will be published by Friday, 7/5/2024.
Updated•5 months ago
|
Comment 1•5 months ago
|
||
We observed and reported this bug alongside bug 1904748 as part of a regular scanning of CT logs and checking CAA records for all SANs in published certificates.
Observation
GoDaddy accepts values that contain godaddy
(case insensitive) as issuer-domain-name even if it doesn't conform to the syntax described in RFC 8659 or it differs from the valid domain names specific in GoDaddy/Starfield CPS (i.e., godaddy.com
, starfieldtech.com
).
Examples
Certificate Digest | SAN | CAA |
---|---|---|
9bf16ef6e33cfaf1d80ebf526bc3907fb98ee120 |
[sbc.capstarsolutions.com, www.sbc.capstarsolutions.com ] |
{"issue":["comodoca.com","digicert.com; cansignhttpexchanges=yes", "issuedomainname:godaddy.com", "letsencrypt.org", "pki.goog; cansignhttpexchanges=yes"], "issuewild":["comodoca.com", "digicert.com; cansignhttpexchanges=yes", "letsencrypt.org", "pki.goog; cansignhttpexchanges=yes"]} |
3567f7db4b5e71de6bba9beb86f9d6f9807e02e5 |
[*.canadianfeedthechildren.ca, canadianfeedthechildren.ca] |
{"issue":["comodoca.com", "digicert.com; cansignhttpexchanges=yes", "letsencrypt.org","pki.goog; cansignhttpexchanges=yes"], "issuewild":["comodoca.com", "digicert.com; cansignhttpexchanges=yes", "https://www.godaddy.com/" , "letsencrypt.org", "pki.goog; cansignhttpexchanges=yes"]} |
f6e4ca5d613f2875e9567ffc31b4fc77c68edb36 |
[*.cito.borngroup.com, cito.borngroup.com] |
{"issue":[ "GoDaddy" , "comodoca.com", "digicert.com; cansignhttpexchanges=yes", "letsencrypt.org", "pki.goog; cansignhttpexchanges=yes"], "issuewild":[ "GoDaddy" , "comodoca.com", "digicert.com; cansignhttpexchanges=yes", "letsencrypt.org", "pki.goog; cansignhttpexchanges=yes"]} |
- In the first two examples the value contains valid
godaddy.com
identifier, yet it does not conform to the issuer-domain-name syntax. - Second example is also related to bug 1904748 as it includes both FQDN and wildcard, yet GoDaddy is mentioned only in
issuewild
. - Last example only lists
GoDaddy
as value and does not conform to identifiers defined in CPS
Assignee | ||
Comment 2•5 months ago
|
||
Incident Report
Summary
GoDaddy and Starfield certificates were issued when CAA records contained, in some variation, the term 'godaddy.com' or ‘starfieldtech.com’ but they did not conform to the syntax of issuer-domain-name as defined in RFC 8659:
https://www.rfc-editor.org/rfc/rfc8659#name-caa-issue-property
For example, if a certificate was requested for site.com and where the relevant CAA record is as follows:
site.com. 3600 IN CAA 0 issue "issuedomainname:godaddy.com"
a godaddy.com certificate would still be issued for the FQDN (site.com). The value above (issuedomainname:godaddy.com) is neither a valid domain name, nor is it mentioned as a valid identifier in the GoDaddy CP/CPS documents.
Impact
During the incident, we identified 168 active certificates (DV 164, OV 3, EV 1) that had this problem. We determined that the first mis-issuance happened on 2017-09-23 and the last one was on 2024-06-22. During this period there were an additional 793 certificates which would have required revocation if they had not already been revoked or expired. During the same time period we issued approximately 124.3M certificates overall. The code fix was deployed on 2024-06-26.
On 2024-06-28, we revoked 168 active certificates for this issue (see Appendix for detailed listing)
Timeline
All times are UTC.
2013-01-01 00:00 - RFC 6844 defining CAA is published
2015-01-15 00:00 - GoDaddy publishes CP/CPS 3.6 explaining in section 4.1.1 that CAA records are currently not checked under RFC 6844, but may be checked in the future
2017-08-09 00:42 - GoDaddy deploys CAA logic into main application
2017-08-15 00:00 - GoDaddy publishes CP/CPS 3.12 and details how CAA records are checked in Section 4.1.1
2017-09-08 00:00 - CAB Forum Releases TLS BR 1.5.8 which specifies CAs must check for CAA Records in section 3.2.2.8
2017-09-26 11:31 - GoDaddy issues first certificate with improper check of CAA record syntax (Serial: fa632daaf9892853)
2019-08-27 07:53 – GoDaddy refactors elements of CAA checking functionality into a microservice
2019-11-01 00:00 - RFC 8659 published, which included some clarifications to RFC 6844
2024-06-22 03:05 – GoDaddy issues last certificate with syntax problem (Serial: 217a29e4a8f3f638)
2024-06-23 13:54 - GoDaddy receives CPR email
2024-06-23 16:23 – GoDaddy Registration Authority (RA) Administrator notates the email/ticket as an CPR concerning CAA records and requests supervisor support.
2024-06-23 16:44 – GoDaddy RA Supervisor contacts the PKI Development Team alerting to possible TLS BR violations
2024-06-23 17:24 – GoDaddy responds to CPR reporter, providing update of investigation starting based on the provided information.
2024-06-24 15:08 – GoDaddy PKI Development Team starts reviewing issue and impact
2024-06-24 18:46 - GoDaddy PKI Development Team completes review and confirms the issue raised is a valid compliance issue
2024-06-24 19:59 – GoDaddy PKI Development Team presents preliminary findings confirming the presence of the bug identified in the CPR
2024-06-24 22:00 – GoDaddy PKI Leadership meets and assigns tasks for response and remediation
2024-06-25 00:23 – GoDaddy contacts customers whose certificates appeared in the examples provided in the CPR about pending revocation and steps to update CAA records to permit issuance
2024-06-25 16:16 – GoDaddy runs initial queries to identify potentially affected certificates
2024-06-26 02:14 – GoDaddy creates bug PRB1904749 and posts a Preliminary Incident Report to BugZilla
2024-06-26 18:31 – GoDaddy deploys fix to production
2024-06-27 20:28 – GoDaddy confirms final list of problematic active (see appendix below)
2024-06-28 03:51 - GoDaddy begins contacting customers whose certificates were identified during investigation via email and/or phone to inform them of pending revocations
2024-06-28 12:00 – GoDaddy revokes problematic certificates reported in the CPR (within 5 days of receipt of the CPR from 2024-06-23)
2024-06-28 22:08 – GoDaddy revokes problematic certificates surfaced during investigation (within 5 days of confirming the bug in the system on 2024-06-24 19:59)
- HH:MM Example
Root Cause Analysis
Background
GoDaddy’s original implementation of the CAA record check was written to follow the requirements outlined in RFC 6844 in August 2017. Incremental changes were gradually included for following alias chains, wildcard record searches, enhance DNSSEC checks, etc. over the following months. The logic for handling the CAA record check was later moved to a microservice dedicated solely for this purpose around August 2019 for better distribution of our internal workload. The general algorithm for determining if a CAA record could be used for issuance involved two separate use cases. The first use case stated that if there were no CAA records, the CA was permitted to issue certs of any type (DV, OV, EV) for the domain. This use case was handled properly, and no issues were found with this workflow. The second use case was applied whenever one or more CAA records existed. Each CAA record issuer-domain-name was searched for the CA identifiers “godaddy.com” or “starfieldtech.com” as specified in the CP/CPS. The syntax of the issuer-domain-name search did not apply the formatting rules outlined in RFC 8659 which were later added to RFC 6844. Instead, a more general search for just the CA identifier in the issuer-domain-name was performed. This misinterpretation of 6844 requirements allowed text patterns such as "issuewild:godaddy.com" to be incorrectly evaluated as valid.
Missed Requirement
Misinterpretation of the grammar of the issuer-domain-name field in the original RFC 6844 Section 5.2 and subsequent missed opportunity to reevaluate when clarity was added to RC 8659 Section 4.2 in 2019.
Failure to programmatically enforce the explicit strings as stated in our CP/CPS
Requirement Fix
The bug fix included changes which brought the microservice into compliance with RFC 6844 and 8659. A more detailed CAA issue-value parser based on the ABNF grammar in RFC 8659 in Section 4.2 was added. It will reject values that do not conform to that grammar, such as ‘issuewild:godaddy.com’ . Additional unit tests were also written per RFC requirement which use a broader set of test data and verification checks to ensure compliance.
Deployment
The rollout of the fix was deployed two days before revocation of the affected certs to allow time for verifying the change. CAA record audit data before and after the incident was then analyzed for additional violations using database surfacing queries. No additional violations were found.
Lessons Learned
What went well
Certificate problem reporting process worked. A report was received which included a potential issue and examples and upon investigation specific findings were validated and bugs sourced within 24 hours of receipt.
Our logging of data used in CAA validation processing allowed us to narrow the scope of impacted certificates and having the data available allowed us to identify and respond swiftly.
Issue remediation allowed us the opportunity to enhance the parsing and validation logic to include tokenized evaluation of the issue property values. Ordering of each character is now tested for RFC 8569 compliance.
What didn't go well
RFC 8569 included examples of proper validation and parsing of the issuer-domain-name found in DNS CAA resource records. At the time we did not have a sufficient process to catch the updates in RFC 8569
Where we got lucky
Less than 1% of our customers (~ 338K domains) appear to have non-empty CAA records on their domains. This helped limit the negative effects of the mis-issuance.
GoDaddy DNS has validation checks which prohibit the usage of invalid data in a CAA Resource record. Issuer domain names are checked to ensure they are FQDNs and issuer-domain-name values are checked for RFC 8659 formatting. If these checks were not in place, customers may have been more prone to create invalid entries.
Action Items
| Action Item | Kind | Due Date |
| ----------- | ---- | -------- |
| Add additional unit tests to check CAA records scenarios | Prevent | 2024-06-26 |
| Add synthetic monitor tests to validate our system is correctly detecting CAA records which prevent issuance | Prevent | 2024-10-10 |
Appendix
Details of affected certificates
https://crt.sh?sha256=e8034e9b7586c74ff76a832f43691779f64d08fa07e9c37593287c88751a036b
https://crt.sh?sha256=49f8557f6079f038dfff62620849f297409a96366693df8b144573995081ea8c
https://crt.sh?sha256=c3f20b4590fdee5014db15af9c110b936a6882de8c24111689f5a27dbd6bc0ae
https://crt.sh?sha256=77dfc1f363609556ac658b0c0e883f6362346232717053eec9a277482b9ef7e3
https://crt.sh?sha256=0d1d24fb9e3bf6ea2ea3fb154be39cdef59fda603fd573cfd22d619a9fc77e0e
https://crt.sh?sha256=0fb667c5a34a99a82cebc27b9ff13579ffb299882211ba4e09904f19443f7cc0
https://crt.sh?sha256=091c97560b9bc41c2c43dff89f54ac4d9056c85bddb4ca0d1d0e54d4b40962de
https://crt.sh?sha256=5eb4f50860dd3335e6f67fbebfe63b8ad6060d3e1793aba842ce0e931590a899
https://crt.sh?sha256=9654aae8dd1aa58bc59d97fb4b50f1e74f270a497147de2326c79dfb825ff160
https://crt.sh?sha256=fde66b0aa18bc71b14b3a960a05dd6a614e81ada186c8855e0c6da5e4a9be456
https://crt.sh?sha256=b13a673efbddac33b8aa317b6b2119994e26b449c00f2cc8725a1c0bd2e08aa4
https://crt.sh?sha256=902d30110117d87aea90c541860635e9e51e348f0eb8c19ec67f7f4487c7a649
https://crt.sh?sha256=130decc54ea2436a58320f1d04e7fba58effdabb96098c1d03712fbd79053ce7
https://crt.sh?sha256=9e598388a0f15ece21810dc904ab0a9e68bde02acab1e398de1a57c0496c94bb
https://crt.sh?sha256=b632b355ec86ed08607aac620c4889881f3e2e0bf9de68833d57f7ce2e0275bf
https://crt.sh?sha256=600adc10954f6a8985a3feafbed6f4421f301177ed341245d1235834ee3dc108
https://crt.sh?sha256=e4c246d6ef4ef70dd07967c67d4267f3d8bd8b52ed89bc759c92bef1c55b567b
https://crt.sh?sha256=fa25e2b865c9b193d85e10295080052fe3853464533c37da5d6d60e73bd42ce3
https://crt.sh?sha256=46a29df2c7c5098f42d419c4d0927d67675de71789ed9af38d7d79693a39bc54
https://crt.sh?sha256=82c9da040fffc1827f34cfbffa846c7d21cad34588c2008b40a61bf1912bc680
https://crt.sh?sha256=cd10cd7a2888a9bad4707e642013e271341cdd85f987ff937650d52b04e0bdac
https://crt.sh?sha256=593329fcd911d5f21b565830d67847f38cc2d2ac3b7e24bcae2202561e43b808
https://crt.sh?sha256=dffe6ee47fdea7f610ffd7e632e917353c160a8f67db678a6a2bf6b396f2759a
https://crt.sh?sha256=995e74433468907f2d42280692e110e2578ae6edbb0d8e71a0fcfe1fbaf6c04b
https://crt.sh?sha256=c7f2d9828d52eef5a8922f283cb72c84e6391322b2eb0a4b7f285ec962394c5f
https://crt.sh?sha256=6c7fb7c9a590e72f8a73c304fbe93937a317d2f1ff5b3ac99458fec80ab1f869
https://crt.sh?sha256=37e16efbe0c03e87456fd26f12cd8647067ab4a5903eff477447bfe0c54ff606
https://crt.sh?sha256=18fc0aa00cc24e3f02cdb82d19841cedc096df031da6a13949eb49cbfa3371dd
https://crt.sh?sha256=5dc1662f55ed2656fc6c6e28d2788b6c48f79fb457b118f63b4ee66de4dfd747
https://crt.sh?sha256=5d984b37fade01ec0d2b87f7f788c17ade35f0012ef205761d62e38517b9d979
https://crt.sh?sha256=73a481e2dfe4d591f62515329462b26e4dd42978cc1fe99d69b12234213ef128
https://crt.sh?sha256=bf0c1f44f03b6c154ccde13fe9dc6e69fdcae3db3d64782cd120f9afded42188
https://crt.sh?sha256=26b7e3e45523f360a681472a146fbcf80c8ffe7f72153a9452d87a83111dec43
https://crt.sh?sha256=947b77bc4f63155ff2bf0b880264f499d55f8ff322eab272dcd6709d40aa126f
https://crt.sh?sha256=e8321f96b643cd61a1e64dd93feda5867b3b8a5275d4ac8eac5a734caecff1ac
https://crt.sh?sha256=e948dbd1a80ffb2308297864f3716e240cc8ade3ab3f5be446d04193a34ae869
https://crt.sh?sha256=c862098ba3a54e9e7a78968464efab48fee9033371f071adf49d6a050b5c6790
https://crt.sh?sha256=11da272867a0a534358b65ba46edf13f6399f5ed81718ff759ccc863bbb68fcd
https://crt.sh?sha256=c9ee4831dafb51b6828741a5b823b4e12ce59864f9f50e7c32777359283b82c3
https://crt.sh?sha256=d469d5a4eefd6646d1188469c5d92a05ecb09352e3ec1287d3a256690c13c417
https://crt.sh?sha256=7f318e210ec5b7500d43bb63b7b290a82cf210ce26f6db13f548b553f30c6851
https://crt.sh?sha256=68110f39eeb9ef087a14e56e5db075e33757dd554b7c498d2c975a00b91b4d64
https://crt.sh?sha256=6980586764c1a0991f4be2f4f46ba02f61d2682f3dea6e5aa6c423a9734e910a
https://crt.sh?sha256=ea671a1d882f5a80e0de8b16ef11778b90e4b51b84a2158da9bf192f9a2357fd
https://crt.sh?sha256=d7b73eecf0366a378d98cc10c3b2dfec791c9f1f6cf80f775c4672871027439f
https://crt.sh?sha256=b7bd827842b58f356fdeab133d539062d9dbef15a2b73c9dff43df40bc2be432
https://crt.sh?sha256=dd91bd5e9d986c68a2bfcff6037ba1ab8c98834ea7cd957f8f77f3021c482799
https://crt.sh?sha256=4acb22c77d364d896d0dc357530d3b1d3120ee56838b504699e1928f46d8c28d
https://crt.sh?sha256=5fa157ca89e9e685cd4824a2c9337f005ba3750b43cc95da78cf2d33bef8cd49
https://crt.sh?sha256=3b046f3ce5c8450a0f40baa7543501cb16e40d0bd1ed58443eda262161c7aba1
https://crt.sh?sha256=30f3469df54a6823675b515165177617c79a1eeaefda80319c3bbcb9f2c83c5e
https://crt.sh?sha256=14653a5cb55de78cf43c08a02bb9889189a5f070b84fe49e06c0be0652c6a9e9
https://crt.sh?sha256=e5c8b15c803f2c25386b6c7026deb00a0ff0ba3c2af27724ea37876862d04126
https://crt.sh?sha256=cb08a8033238d01654fb1b5a87a1d156cc74fc1ceea00e8f85b682c6852f7996
https://crt.sh?sha256=7e7ed72c1e5f19a38aababea5f713b234f23819f1736087faf11e4e1a5ab00dc
https://crt.sh?sha256=33b4ed361ef0fbe892b1b77d0a877b311a96a6be4316f643520d6ed27141b346
https://crt.sh?sha256=112fdc8ab9e542518d0d1e05ec704fbafee1b9fb1dd13a75e7f8fff3f241b718
https://crt.sh?sha256=7568919fd7891bf65d859d81694910e470124367504ec3f45329bb5ac73ca8f5
https://crt.sh?sha256=a84693394e6f11335220c616b3d769845e2142040ada8d25f227c4b7719db83f
https://crt.sh?sha256=7535c17accabb554365e41a3532b4f7301f8445801b91336cb6907918a8758c2
https://crt.sh?sha256=e44336357d7ea96da329b15f9c8900e414cdf3e778e94e3bf14a295e968486f7
https://crt.sh?sha256=41f60acb846f0fe085c5f21dae46bb655e34bfab0296f9d88cd27db306458097
https://crt.sh?sha256=35a7bf2674273885604410dd5dfed339da30cd3ec1d08be2ff8b99ec7b1f35ff
https://crt.sh?sha256=4fdbeae4cac60a48948ed17781c452c806a8c9a97ff9ccac17ca03e909e025ac
https://crt.sh?sha256=45c081adf4b3ac3468d68256a756fb25fd34fc06951bd39ebf01c1f3b99bf5ac
https://crt.sh?sha256=0d410432d73f498006e52e6aed2b555b98826a202480f74280933378655bb2bf
https://crt.sh?sha256=df2930459bcb24bad642252160d7b1e1780efd47187810fe8c15a4f5fcad470d
https://crt.sh?sha256=d4e478ed200ed239e2b1dd3bf423cfbd2bbf9add01c9035254eee7c7233e5920
https://crt.sh?sha256=73f03d9f512384f68cfe09c61f96184acdb7549e08a3538763fd3bed0cefa4f6
https://crt.sh?sha256=b8ab0705d2818b17ba54cc87b2f82493a488efa4623be30579738f2776bb008f
https://crt.sh?sha256=8e4078bcb9ba98fec251696add46c44c16be5712bce400860ac8feff140b28db
https://crt.sh?sha256=dc82fec4ec63a285595b62118d82c38ef9aa4314f84b030d6165ab4e081f5b8b
https://crt.sh?sha256=aed088d143649491c16be06a96364c092e9e301e2891e4bdcd509e72d9333b80
https://crt.sh?sha256=f9706b8db85a47a2d52344938382e0fae8d811f40c34b3f0f39f36e85ff4402e
https://crt.sh?sha256=7fbde07c6f4cfa2fcf548bfc26ae15adbab1084ff937476ad19e09cf0a87f4c5
https://crt.sh?sha256=cd6f020676cb2d8df0d84586a9970fa48a7872a0883deeb67d9a5606c017f6ac
https://crt.sh?sha256=52c432fcfdafa33a847ac77ba4360738e537d534f6c61ee09e920787e48f09f2
https://crt.sh?sha256=700e7bd52951ba7edea80911617f20d0b62f78235d6a0c0f59a4318e2a222206
https://crt.sh?sha256=7b1a7f0cd3d5ae1bf886b9bd299b26406328a2b0ea675878e0eb220c3bc07f07
https://crt.sh?sha256=d5684819a082501ecf2afe46e438b107fdf6e99da6f51f02bbb15f1021dbd479
https://crt.sh?sha256=96b7461d62787e418a0f2f49a4605a76d749f1068faa24da540402a713055c36
https://crt.sh?sha256=05d5e4c12c3d22e902df8b55cb0cef13b69ad425b9b00502e61bd9aa70b26a27
https://crt.sh?sha256=0ae35b7b4bf42d3e7c180d2453f269340a47f49e5e3d981ff9b65c6021e7085d
https://crt.sh?sha256=18fcd6d5d2cd01be1c09eed60d8c8201b04020c99485aff43fb126d1e211c4b4
https://crt.sh?sha256=cc7a279728a3b52ac8db59444e4d7d9f7b6cdc8cf067b2a3217052a4c564470e
https://crt.sh?sha256=8fab677801b02d4317f072021cea8304d720c71f552cee75a414dac78278e8f3
https://crt.sh?sha256=7f31347a9d494abeb91db79fa7ce2fabfc1fa0d89b9ed38a544bd5453c46ea62
https://crt.sh?sha256=6f1ebdd5885f25d0e028ed0bd988b4936834594287f8ae4ccd636466f691f97d
https://crt.sh?sha256=6c6e66df4392f8996afeabdc5fb66300455a7afcffee31fd7d7c4693672c40a4
https://crt.sh?sha256=107bff9bcec216211afde639eb6dc22dedde39576d6eac93b7ad2fabb878a8c8
https://crt.sh?sha256=7455655061921dd28241da8c8205b3a68e55018b2e2ce1f209fb417727f667cc
https://crt.sh?sha256=e519c530c83d58c2092819f2cff3a211a5bbf12c454c1118870721acfea85fde
https://crt.sh?sha256=a0d1a7671de39068ec802ba54a7873812cf7b6522372113af7d790188a7340a9
https://crt.sh?sha256=e01bf8f8d9310726e28788ccf31f621f7da800324a6fa220d787262ce5e730b3
https://crt.sh?sha256=354459b25a8f9d67dd72486668a8906595f4dfc86c8e562f85b7b189c5c0056d
https://crt.sh?sha256=568ec92ff7a868305db87097e30d53df9f1f029d7842bc07048aab6df6410f77
https://crt.sh?sha256=c9f70f8f55c523fb3560b18d594a46dff78be26f1ace22442614676957e0d2ac
https://crt.sh?sha256=03511cb2dd8085d41f069c97eddbab9659ed890eaa99ce747b218ebff4fbcbfc
https://crt.sh?sha256=71d2d310b0c14e0f47c624381b4ea3f247fc6808db68f4bb36620876bb574eb4
https://crt.sh?sha256=740d45fb8c395dcadecfd4491c6e1a1bed9cb5b89c19541cba38f908ea957b77
https://crt.sh?sha256=9ccd280c7dfc8fa64f63c33c3f5fe0d1b65cd181785574d93392546fa89330d6
https://crt.sh?sha256=da6d18719c2770e638e586d0bf127201529d43d3dac1f9341b229a1291356e78
https://crt.sh?sha256=456abaa1ce1003ccbe9d2e4e7d330bb1d56e1721a078a2a3f2d703e9c461f9b7
https://crt.sh?sha256=d244e19e76a132f8837eef6546df6875925a9a6ee980cfaf664919f36fcde82c
https://crt.sh?sha256=538a22df4da06b3116333c0692bd5f01a9f23d7a3f449494ac9de949cf391a2c
https://crt.sh?sha256=f8830e186e9abf0dbf4fdedf55847f35a228d376a5781b22b90a8d3f5039ef62
https://crt.sh?sha256=65357f9651e6a9c542180f1b8cd6dac5ca506b7f8c41bb002314d60321637b9b
https://crt.sh?sha256=a6145145bd42ebe2612565691e372684e476b4c93d7b34224efa52e2b24e8d42
https://crt.sh?sha256=6d0be08f16bbbdfbe64c690b09decce9a26db8585f89db628e03fdb360ddeed5
https://crt.sh?sha256=b71c9bbf519efe5a4424ec466bca0c4362e67629905e66e8a913032dd7410ab5
https://crt.sh?sha256=8ad27fdd86cbf4f983e1d8a95838fd2062acc603826f1a0831ffd2c5a69ff498
https://crt.sh?sha256=ab828da0b130ec7e68264d989f0596c5e837cc7661e05650abc8c17f1ed68be7
https://crt.sh?sha256=e1c1b1698cd611e0a0afc5060f910ae5d8c14ad1bf7cdc298e4b170d6e0e9d05
https://crt.sh?sha256=36877011294ed8874bfcf06aa430e536540292044935bb414b615693af222ab6
https://crt.sh?sha256=2d81c7a44b8ea58b3d63d1ca397ca29e930674c833afc0dea2048a7cdc66aee9
https://crt.sh?sha256=851a3c4c83806b3974c73abb9d898f1a191c75ebf723b3a58b68dc6f5003f867
https://crt.sh?sha256=f54153d590b359fccd4b3bd10947464ebdc4651ea0e84e04b4ae0a774fbe990a
https://crt.sh?sha256=e48f749bd5992e316ff8efb6d2e36f8a6c9ff1ef4fc0179ee2a7267980b442eb
https://crt.sh?sha256=f29d24b3969e19368e8e90681c9d3f5a8bfd45ba852278e697f26ed7133a72b4
https://crt.sh?sha256=8b3412373662a7702c91a4eff1a8d4f3849ac00b7f5dcc7668ee11412e74fe76
https://crt.sh?sha256=7a5dd6992d95eba196f283beb7e21ba0bdedb23ab99270894d74e583041dba0f
https://crt.sh?sha256=cbd701360917f2eff5609a2eb0c2680f6114f1fc2b8a809b2ba31d2ab231158f
https://crt.sh?sha256=0411e3c0582245321928f4533f6176d44ce08f4e2a0c57f370bb8ce7992b7f01
https://crt.sh?sha256=41838aff738c0354678a1db473d9f30f1149d6ee0a451947d3170bacb70f3ae9
https://crt.sh?sha256=aeeb0c9db36f377c92268feae1622723a19864f12691d9324bbf97b6a7a68921
https://crt.sh?sha256=3eb765e92cadef1f9646f4b3958c41a40395716fe1adeb22d399f9c3c701d323
https://crt.sh?sha256=3e38e3c31bca144c5970d669db6b52097500d5f3f9f8cdd90b831d8166862bdc
https://crt.sh?sha256=c51fbecbb80866e43b2af19a7bc54b9f8f07def264b9428355eef8d21bd84286
https://crt.sh?sha256=6e8dce351bf4dd0b0dfc1e313c177fc7a074f97e864498ae581162d58ae06383
https://crt.sh?sha256=94198458c8f5735bbf8383d7b8daf1383d8a28fe499fe21dd1670e856e068f4b
https://crt.sh?sha256=c678af16c43e80210cbc2d338c4d238a16a3bf2ae6171098f628aacc66876e17
https://crt.sh?sha256=b20b7b04e66590a88ec7522aecb0c2020ec3eaa10e68800f06fb4671222d0541
https://crt.sh?sha256=db334480eafa3bb897baca7d4852296dc7d22a19c625354aea1c512d0d9772da
https://crt.sh?sha256=86524466092d24b43ea08310d1d1e8b85d1d1d3ce2f9bcd6d78df5cb2680ae29
https://crt.sh?sha256=3541cb0a01525920299ff2881bd1c42695bb5b409ee465eed4a76698c4e128a6
https://crt.sh?sha256=6650e8ac7927f71ce0ecc6daed818d5bef42478e35729262630cac8f60831f32
https://crt.sh?sha256=22370c4a69917b5dc3960344bc3ad78f241cc6f43ddd8ef7874c4a814fae855c
https://crt.sh?sha256=486340a08374c16b5ccb5627efea071da0cb6afde487e1f53fe1f62d0ad73f1b
https://crt.sh?sha256=315816e421e25158c29920368653a6ed865c8b670adc100a23dad3db4617765d
https://crt.sh?sha256=96762f0a9e97822ce5eb2a7fbfe9316c297c2fd41feb834ed3bcbd8f2181214d
https://crt.sh?sha256=d37d5e58c835ff3238ca1405c2b653ce341f4332ca91977d676007f073438a6c
https://crt.sh?sha256=6a58fdc587d32c46909acc0e469a0007bd4764199d3d59ceca432c0eca2583c5
https://crt.sh?sha256=e419d0985b8448920e183cabe8b324e583972328ebca6f3d61c7fa7742106cf7
https://crt.sh?sha256=d32c60d91f15d6fe8ff32530c11eabe479961b7ad562adf3a04f1b963c9f4262
https://crt.sh?sha256=057f58709ad6ca6d7e0bc7c583a696bef01b0919f99f0a8c6201ed333d10ee62
https://crt.sh?sha256=0ed7404a36b590634106feac8d49bc81d6e5acf5069fd991f2307df3b771e213
https://crt.sh?sha256=f0e99bfdde7d3d618f21840816fe07496bb92f936174f69a9d710f71e8937b42
https://crt.sh?sha256=0f11b9fbaa8efd7ae6f5d3d5175aa642810dda4eb0aa2e2680f46485946380f7
https://crt.sh?sha256=787803c4f352f44f45dd353f3bac83a85509589f986e805989b6cf11f769f155
https://crt.sh?sha256=a675b07ea1f8b1a090fe5d67d304eb76a02acb17832851dad62814db99f69b9a
https://crt.sh?sha256=0178fbfc71dc39d37d4df518b8ae354cfae951289f8840b5167dd3a0735d62ad
https://crt.sh?sha256=59377ab3c18cb3e76c8914432dc8ba383f994a01c604b02da5af517afaf6f135
https://crt.sh?sha256=5734b8a03a6058d00d91a3ebee8e527ac62000786cae022430e710971cb803b2
https://crt.sh?sha256=a8301fccc04005c0e5c43d04da3c32d29fdeaafc77692b9999004eb9986b6dfc
https://crt.sh?sha256=5b0dd16bd0334f2a32e83f72e79187517b00a891436b4383964beeb78fbb454c
https://crt.sh?sha256=66d390b2fbd6c1cea54a88dc6bef688fbebdabb716918d8228aaff4fcb283931
https://crt.sh?sha256=ab5677f55d7e21a4f74ba62240b8fd3e870c05740b8616407389349ce1d3bf38
https://crt.sh?sha256=ddf446b92be71c1b326e53ea3d5e5cd0873b6061df2070ef17b6768e26866e53
https://crt.sh?sha256=26e593333aa70ca3cf7924bdc174f48d33dd08dde9e494a254df96d1aa17bc28
https://crt.sh?sha256=d3ad83aa2be020c94bcf4db63daeee035b219fda84698e92ff810c797dd5679f
https://crt.sh?sha256=3da1f0ec1849b43597df8d16ed1b091e7fe0b9fe554b41103a26a88007e523c2
https://crt.sh?sha256=2d30333b2461bc289874087202d69beab0265137b29cc615e98819fa317c53d4
https://crt.sh?sha256=ae20f3c3dd3168899fa1729e95b977ab5cc84bb74ea48350a527861b9409b0fd
https://crt.sh?sha256=3797e30849353e2149f455ff539656a0cd55cb58f434d7ca44735cc4defc8de1
https://crt.sh?sha256=897d3c2f8013a9ab113fdbccd0a44c78b04d3c8a43ea8c3894497bee7fb2fc3b
https://crt.sh?sha256=e2a98c42230f2a447f173cb802ac62141c6da39e2493e07099336b26eb9b760c
https://crt.sh?sha256=b2011ac5f8879a97d289f2a477921b738d38294b4ba61e672fa5ad4058367585
https://crt.sh?sha256=8fa3d2b186c7a67b8968ab6fdf047bd39650748aea5783559e63f8b86d9b2cb1
Did GoDaddy at any point stop issuance? The Impact and Timeline sections implies issuance continued despite full knowledge of the issue.
Comment 4•5 months ago
|
||
We also observed cases, where issue
or issuewild
value was not even a domain name (see f6e4ca5d613f2875e9567ffc31b4fc77c68edb36
in table above).
Since you didn't mention that case, I was wondering if your algorithm also accepted patterns including only variations of godaddy
(w/o .com
label)?
Assignee | ||
Comment 5•5 months ago
|
||
(In reply to Wayne from comment #3)
Did GoDaddy at any point stop issuance? The Impact and Timeline sections implies issuance continued despite full knowledge of the issue.
Thank you for your question. No – we did not stop issuance. Once we isolated the bug, we focused efforts on the bug fix and subsequently helping affected customers through the rekey process in a compressed time window. We were confident in our ability to expeditiously identify and revoke any that may have been issued between the time we confirmed the bug and the time the bug was fixed. In addition, our investigation determined that this specific issue was extremely rare and that it was likely a very limited number or zero certificates would be affected between the time we confirmed the issue and applied the fix. Our assessment was, in fact, correct as no certificates were affected after the issue was confirmed. We elected to continue issuing certificates during this period, because stopping issuance would have been extremely impactful and disruptive to our customers whose certificates were not affected. Ultimately, we selected the path that would result in the least disruption, while still being compliant with the requirements of the BRs and our CP/CPS.
Assignee | ||
Comment 6•5 months ago
|
||
(In reply to Pouyan Fotouhi Tehrani from comment #4)
We also observed cases, where
issue
orissuewild
value was not even a domain name (seef6e4ca5d613f2875e9567ffc31b4fc77c68edb36
in table above).Since you didn't mention that case, I was wondering if your algorithm also accepted patterns including only variations of
godaddy
(w/o.com
label)?
Thank you for the question. It did not accept variations without the .com label. The bug in our code was looking for a full string of godaddy.com or starfield.com, but was looking for a “contains” rather than an exact match.
Comment 7•3 months ago
|
||
Please provide an update on "Add synthetic monitor tests to validate our system is correctly detecting CAA records which prevent issuance"
Assignee | ||
Comment 8•3 months ago
|
||
Thank you for the question, Ben. We are actively working on adding the synthetic monitor tests to validate detection of CAA records which prevent issuance. We expect the rollout to be ahead of our defined timeline in early October and will update the incident once complete.
Updated•2 months ago
|
Assignee | ||
Comment 9•2 months ago
|
||
As of 9/3/2024, synthetic monitoring has been deployed and is operating as expected. All action items related to this incident have been completed.
Comment 10•29 days ago
|
||
As there have been no questions or comments, and it appears that all action items related to this incident have been completed, I will close this matter on or about Wed. 30-Oct-2024.
Updated•23 days ago
|
Description
•