Heartbleed and GoDaddy’s Certificate Authority

This one goes up to 11

The Heartbleed Bug has gotten a lot of coverage internationally – and rightfully so. As renowned security blogger Bruce Schneier put it, “On the scale of 1 to 10, this is an 11.”

But, as someone who is not only a website visitor, but a GoDaddy customer and a website owner, it might not be clear what this means for you.

The impact for GoDaddy’s Secure Certificate Team

GoDaddy is one of the world’s largest certificate authorities (CA) – which means we’re responsible for issuing a large portion of the world’s SSL certificates. SSL certificates are the most commonly used security tool on the Internet. They stop third parties from viewing confidential information being exchanged between a visitor and a website – information such as passwords and Social Security numbers.

As a major figure in Internet security, we’re very glad to say that our CA was not vulnerable to The Heartbleed Bug in the first place, which means we remained completely immune. Our root certificates are also safe. And, finally, GoDaddy’s website (godaddy.com) was not vulnerable, so your credentials could not have been compromised, either.

In short, GoDaddy’s certificate authority system was never at risk, nor was it in a position where we put our customers at risk.

The impact for your server or Secure Certificate

What you need to do depends on what kind of product you have with us:

Server customers should upgrade their version of OpenSSL, as well as rekey any certs. We have detailed instructions here.

SSL customers whose servers are hosted elsewhere should upgrade their version of OpenSSL using their hosts’ instructions, and then rekey their certificates.This will generate a new private key, which protects you in the worst-case scenario that a hacker did manage to find your server’s key leveraging Heartbleed. We have those instructions available here.

SSL customers using shared hosting can request their account to be rekeyed with an email to heartbleed@godaddy.com.

After you’ve completed those steps to fix the vulnerability, there’s only one last thing we recommend doing: If your site allows users to log in, strongly consider changing all of your users’ passwords. There’s potential they could have been exposed during the time your server was using an vulnerable version of OpenSSL.

What’s next?

This is one of the largest security issues the Internet has ever faced. Gladly, there aren’t widespread reports of anyone’s data being compromised, though there will doubtless be tremors of the impact felt into the future.

We are glad to say, though, that GoDaddy has had your back this whole time and done everything we can to minimize our customers’ exposure to the vulnerability.

Learn about the four types of SSL certificates available.

Wildcard SSL Certificate
Extended Validation SSL Certificate
SAN SSL Certificate
Organization Validation SSL Certificate

Sean Loiselle
Sean Loiselle is a senior technical writer in NYC who focuses on open source enterprise software. When he's not neck-deep in SQL, he takes in the city's museums, music, theater, and performance art spots.