Educause Security Discussion mailing list archives
HSTS, wildcard certs and redirects
From: "Boyd, Daniel" <dboyd () BERRY EDU>
Date: Mon, 4 Feb 2019 15:08:18 +0000
We are having numerous issues with what I believe to be HSTS in relation to sites where we have created a simple URL for a service. For example, we use Office365 and users know that "mail.berry.edu" will get them to Outlook on the Office365 site. Or, at least it did. We don't have a specific cert for "mail.berry.edu"; we use our wildcard cert. The address redirects to Office365, of course, but Chrome now errors with, "Your connection is not private" and the Advanced section mentions HSTS. We get similar results with other sites that are set up the same way. This started about two weeks ago. Some users have deleted the HSTS domain policies in Chrome... I'm pretty uncomfortable with this - feels like putting a giant set of deadbolts on a door and leaving it ajar... I feel like I've missed (or am missing) something fairly critical in all of this as HSTS is not new, but has just suddenly become an issue. Is anyone experiencing this? How have you addressed the issue? Thanks in advance for any clues... Dan Daniel H. Boyd (94C) Director of Information Security Office for Information Technology Information Security Advisory Group Chair Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SHARE YOUR PASSWORDS WITH ANYONE (EVEN OIT!!!!) 2. If unsure, consult rule #1
Current thread:
- HSTS, wildcard certs and redirects Boyd, Daniel (Feb 04)
- Re: [EXT]: [SECURITY] HSTS, wildcard certs and redirects Shawn, Jason (Feb 08)
- Re: [External]Re: [SECURITY] [EXT]: [SECURITY] HSTS, wildcard certs and redirects Boyd, Daniel (Feb 08)
- Re: [External]Re: [SECURITY] [EXT]: [SECURITY] HSTS, wildcard certs and redirects Boyd, Daniel (Feb 11)
- Re: [EXT]: [SECURITY] HSTS, wildcard certs and redirects Shawn, Jason (Feb 08)