Almost no chance of exploitation
With all that said, despite the shortcomings of the misissued certificates, there is very little chance their non-compliant entropy can be exploited. Certificates are now generated using SHA256, a modern algorithm that doesn’t have the known vulnerabilities of MD5. The 64-bit requirement, rather, is more a matter of insuring against new attacks that will likely be discovered in the coming decades.
What that means is that, while the revocation and reissuance of between 1 million and 2 million certificates (at the time this post went live, researchers were still debating the number) is a major undertaking, there is virtually no security threat posed by the error.
“This is a big deal for CAs and their customers,” Caudill told Ars. “The impact of replacing large numbers of certificates is substantial. From a threat perspective though, this isn’t exploitable. It would require a major breakthrough in cryptography, and even then, 63 bits of entropy provides a huge safety margin. This is a problem because of impact to people and companies; hackers aren’t going to start forging certificates because of this.”
In online forums discussing the problem, a GoDaddy official initially said his company issued more than 1.8 million certificates that didn’t comply with the 64-bit requirement. Under industry rules, GoDaddy had five days to revoke the certificates, but GoDaddy said it wouldn’t be able to make that deadline for all the certificates identified.
“Within the next 30 days”
“Our goal is to reissue all the certificates within the next 30 days,” wrote Daymion Reynolds, who is senior director of SSL/PKI security products at GoDaddy. “We have started the revocation process. We have a significant number of customers that use manual methods for managing their certificates, so being agile for them is difficult. We want to keep our customers using https through the entire revocation period. Due to the large number of certificates and the benign nature of the issue, our plan is to revoke in a responsible way.”