A Lesser-Known Side-Effect of the Godaddy Outage

by Ryan 11. September 2012 11:21

ssl certSo GoDaddy.com experienced a massive denial of service attack and subsequent outage yesterday. GoDaddy hosts thousands of websites, email addresses, and global name servers. All of which were taken down yesterday for at least an hour or two. There are of course rumors that the "hacker group" Anonymous was somehow involved. Maybe they were, or maybe they weren't, but the fact is thousands of websites and millions of users across the globe were indiscriminately targeted. Lots of innocent, small businesses with online operations were unjustly hurt by the actions of whatever jackwagon(s) was/were involved.

The most obvious effect of the denial of service attack was that all Godaddy websites were inaccessible. Not just Godaddy.com itself, but all customer websites hosted by them. DNS records were unavailable for huge swaths of the internet.  Even the site http://www.downforeveryoneorjustme.com/ was overloaded by people wondering if a website was, in fact, down for everyone.

One lesser talked-about impact was that the Godaddy certificate revocation server was down too, which meant anyone on the web, and any automated monitoring tool that was monitoring the availability of HTTPS websites, became unable to check for the revocation of SSL certificates that were issued by Godaddy.

Some systems might return an error code 12057. The Windows WinInet API documentation defines it thusly:

#define ERROR_INTERNET_SEC_CERT_REV_FAILED    12057 // Unable to validate the revocation of the SSL certificate because the revocation server is unavailable
#define ERROR_WINHTTP_SECURE_CERT_REV_FAILED  12057 // Same as ERROR_INTERNET_SEC_CERT_REV_FAILED
#define CRYPT_E_REVOCATION_OFFLINE       0x80092013 // Since the revocation server was offline, the called function wasn't able to complete the revocation check

I.e., can't check for certificate revocation because Godaddy is getting pounded at the moment.

So the next question is, 'Should we care?'

If you absolutely just needed to clear this error, then you can go into the settings/options of your web browser, and uncheck the "Check for certificate revocation" option. Internet Explorer seems to have this enabled by default, but it can be switched off. Chrome has this unchecked by default but it can be turned on.

Personally I think we should care about checking for certificate revocation. By not checking for cert revocations, you're losing one of the big benefits that SSL certificates provide. If a certificate gets hacked, allowing the attacker to impersonate the intended certificate owner over the internet, I would certainly like to know if and when that certificate is revoked.

It may be more convenient and it may rely on one less component if you disable CRL checking, but if I browse to my online banking website one day, and I get a warning about it using a revoked certificate, I'm certainly not logging in!

Comments (1) -

impresa di pulizia milano Italy
7/31/2013 4:13:24 PM #

Our person, cleaning company, specializing in cleaning services, management and maintenance of apartments, offices, medical and dental offices, hotels, shopping, events and condominiums. Cleaning programs and management environments, designed with you in order to optimize our presence with the rhythms of the family and of the working of a company. More details about our cleaning company at http://www.sixlands.com.

Reply

Add comment

About Me

Name: Ryan Ries
Location: Texas, USA
Occupation: Systems Engineer 

I am a Windows engineer and Microsoft advocate, but I can run with pretty much any system that uses electricity.  I'm all about getting closer to the cutting edge of technology while using the right tool for the job.

This blog is about exploring IT and documenting the journey.


Blog Posts (or Vids) You Must Read (or See):

Pushing the Limits of Windows by Mark Russinovich
Mysteries of Windows Memory Management by Mark Russinovich
Accelerating Your IT Career by Ned Pyle
Post-Graduate AD Studies by Ned Pyle
MCM: Active Directory Series by PFE Platforms Team
Encodings And Character Sets by David C. Zentgraf
Active Directory Maximum Limits by Microsoft
How Kerberos Works in AD by Microsoft
How Active Directory Replication Topology Works by Microsoft
Hardcore Debugging by Andrew Richards
The NIST Definition of Cloud by NIST


MCITP: Enterprise Administrator

VCP5-DCV

Profile for Ryan Ries at Server Fault, Q&A for system administrators

LOPSA

GitHub: github.com/ryanries

 

I do not discuss my employers on this blog and all opinions expressed are mine and do not reflect the opinions of my employers.