A Lesser-Known Side-Effect of the Godaddy Outage

ssl certSo GoDaddy.com experienced a massive denial of service attack and subsequent outage yesterday. GoDaddy hosts thousands of websites, email addresses, and global name servers. All of which were taken down yesterday for at least an hour or two. There are of course rumors that the "hacker group" Anonymous was somehow involved. Maybe they were, or maybe they weren't, but the fact is thousands of websites and millions of users across the globe were indiscriminately targeted. Lots of innocent, small businesses with online operations were unjustly hurt by the actions of whatever jackwagon(s) was/were involved.

The most obvious effect of the denial of service attack was that all Godaddy websites were inaccessible. Not just Godaddy.com itself, but all customer websites hosted by them. DNS records were unavailable for huge swaths of the internet.  Even the site http://www.downforeveryoneorjustme.com/ was overloaded by people wondering if a website was, in fact, down for everyone.

One lesser talked-about impact was that the Godaddy certificate revocation server was down too, which meant anyone on the web, and any automated monitoring tool that was monitoring the availability of HTTPS websites, became unable to check for the revocation of SSL certificates that were issued by Godaddy.

Some systems might return an error code 12057. The Windows WinInet API documentation defines it thusly:

#define ERROR_INTERNET_SEC_CERT_REV_FAILED    12057 // Unable to validate the revocation of the SSL certificate because the revocation server is unavailable
#define CRYPT_E_REVOCATION_OFFLINE       0x80092013 // Since the revocation server was offline, the called function wasn't able to complete the revocation check

I.e., can't check for certificate revocation because Godaddy is getting pounded at the moment.

So the next question is, 'Should we care?'

If you absolutely just needed to clear this error, then you can go into the settings/options of your web browser, and uncheck the "Check for certificate revocation" option. Internet Explorer seems to have this enabled by default, but it can be switched off. Chrome has this unchecked by default but it can be turned on.

Personally I think we should care about checking for certificate revocation. By not checking for cert revocations, you're losing one of the big benefits that SSL certificates provide. If a certificate gets hacked, allowing the attacker to impersonate the intended certificate owner over the internet, I would certainly like to know if and when that certificate is revoked.

It may be more convenient and it may rely on one less component if you disable CRL checking, but if I browse to my online banking website one day, and I get a warning about it using a revoked certificate, I'm certainly not logging in!

Comments (1) -

Our person, cleaning company, specializing in cleaning services, management and maintenance of apartments, offices, medical and dental offices, hotels, shopping, events and condominiums. Cleaning programs and management environments, designed with you in order to optimize our presence with the rhythms of the family and of the working of a company. More details about our cleaning company at http://www.sixlands.com.

Comments are closed