HSTS Preloading of all .Dev domains: Troubleshooting

I’ve been quietly planning out SheHacksPurple.dev for the past little while, with the intent to announce it while at RSAC last week in San Francisco. My new site provides regular security content for a modest fee ($7/month), all created by yours truly, on the topics of DevSecOps, AppSec, Cloud Security, MFA, etc. Soon I will be releasing full length training courses on these topics, also at affordable prices.

** Our company website is now WeHackPurple.com

That said, when I pointed my domain at Podia.com (the place that is hosting my content), I followed the directions, and it did not work. The https://www.shehackspurple.dev link worked, but the apex domain, https://shehackspurple.dev, was throwing a security error. The instructions were to point the CNAME record for “www” to the Podia address for my content, no problem. Then forward the apex domain (no “www” at the front), to the www address for my site. I wasn’t sure why but the following error was thrown in all browsers.

HOW EMBARRASSING! I teach how to implement HSTS, then I can’t get it right? Ahh!

By this point I knew it was an HSTS problem, and that I was being pre-loaded, so I tried to remove my URL from being pre-loaded. Sounds easy right? Nope.

Being rejected by the HSTS Preload Page

At this point I felt I had to ask for help, people were clicking on the links from my presentations and getting this embarrassing error. Time to swallow my pride. I called GoDaddy, the ones who sold me the “.dev” domain name, and they had no idea. I called Podia, and they were also at a loss.

My sharing my feelings with the Chromium Dev Team.

They did not answer my accusatory tweet.

So then I did what I always do when I’m completely stuck; I asked my brilliant twitter followers.

Within 10 minutes someone pointed out that Google had purchased the entire “.dev” domain (I didn’t know that was possible) and decided to force pre-loading of the HSTS security header on all of the domains under .Dev. THAT was why I could not get my URL to stop being pre-loaded. This news surprised me because 1) shouldn’t GoDaddy have known this was the issue since they sold me the .dev domain? 2) forcing a security feature on everyone often leads to poor results and 3) apparently some people think that “.dev” means a site that is under development, when it actually means “for developers”. No one is going to buy a completely separate domain so they can host their dev stuff on it, internal to their own networks. That makes zero sense folks.

In summary, I bought a .dev because I thought that’s where all the cool kids were, but it turns out that the .dev addresses come with baggage. My emails from my new domain are too-often caught in spam filters, and now this HSTS situation… But I digress.

read a few articles on this topic, and I learned that the TLS handshake couldn’t be completed on the apex (my domain without the “www” at the front), because I had it forwarding to my www domain. HSTS forces you to complete the handshake. GoDaddy’s forwarding feature doesn’t complete it, it just forwards it directly, which is not enough for HSTS, it’s strict.

Once I knew what the problem was, then I had to figure out a way to hack around it. I’m stubborn and did not want to have to start all over with a new domain. No way.

Luckily a whole bunch of my followers had great ideas. Michael Buckbee was particularly helpful, helping me figure out that the APEX (https://shehackspurple.dev) needed to terminate the TLS, so then I just needed to figure out how to do it. PS Thanks Michael!

This is where I turned to CloudFlare. No, this is not an advertisement for them, we aren’t affiliated (but if they want to buy a subscription to my site that would be cool!).

CloudFlare protects sites from DDOS and other internet problems, and in the process they *forward* your traffic. GREAT, I needed my traffic forwarded. And since they are a security company they terminate the TLS. PERFECT.

First I set up CloudFlare, which was super-simple. They have a free plan and I choose that one, so far so good.

Then I created a Page Rule to forward my Apex URL to my www URL, like so.

My CloudFlare Page Rule

And BOOM, SheHacksPurple.dev is no longer broken, and I can post content for all to find. 😀

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

AMA: Where can we learn Threat Modelling?

In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’.

The linked video is approximately 2 minutes.

  • Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
  • The question included “How can we learn by doing, not just reading?”
  • Play the game “Escalation of Privilege”, create by Adam Shostack
  • You can actually play online, for free! It just came online last week. Play online here.
  • She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play it, but it won’t teach you threat modelling. 😀
  • Every time there is a new project at work, meet with them for one hour and just *try* to threat model. It’s okay if it’s not perfect, if you identify just one risk you had not thought of, your sessions was productive.
  • Every time someone else at work is doing a threat model, sit in and “job shadow” them. Learning by watching and participating is a fantastic way to get in the middle of things.
  • Non-hands-on activities: 1) watch the many videos on this topic by several experts in the area, Adam ShostackAvi DouglenTony UcedaVelezCaroline MoeckelTash Norris, the list goes on and on.
  • Whiteboard designs with people and then ‘put on your black hat’ and take a look.
  • Ask the tech team (developers, architects, ops peeps), ‘If you were going to hack your app, how would you do it?” The answers may terrify you, but you’ll be happy you asked.
  • Read Tanya Janca’s numerous articles on the topic: Hacking Robots and Eating SushiThreat Modelling Serverless, and Threat Modelling.
  • Then we get a bit off topic and start talking about Azure DevOps and GitHub Actions…
For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

PS The Video Quality is low in this video and has been improved in future recordings.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!