HSTS, wildcard certs and redirects

["Boyd, Daniel" <dboyd () BERRY EDU>]

We are having numerous issues with what I believe to be HSTS in relation to sites where we have created a simple URL 
for a service. For example, we use Office365 and users know that "mail.berry.edu" will get them to Outlook on the 
Office365 site. Or, at least it did.

We don't have a specific cert for "mail.berry.edu"; we use our wildcard cert. The address redirects to Office365, of 
course, but Chrome now errors with, "Your connection is not private" and the Advanced section mentions HSTS. We get 
similar results with other sites that are set up the same way.

This started about two weeks ago.

Some users have deleted the HSTS domain policies in Chrome... I'm pretty uncomfortable with this - feels like putting a 
giant set of deadbolts on a door and leaving it ajar...

I feel like I've missed (or am missing) something fairly critical in all of this as HSTS is not new, but has just 
suddenly become an issue.

Is anyone experiencing this? How have you addressed the issue?

Thanks in advance for any clues...

Dan

Daniel H. Boyd (94C)
Director of Information Security
Office for Information Technology
Information Security Advisory Group Chair
Berry College
Phone: 706-236-1750
Fax:     706-238-5824

There are two rules to follow with your account passwords:
1. NEVER SHARE YOUR PASSWORDS WITH ANYONE (EVEN OIT!!!!)
2. If unsure, consult rule #1