This is nearly as meta as it gets. A write up detailing the process of standing up a website from the perspective of someone who has never done so on the open internet in the modern era of website builders, countless hosting providers and a million ways to mess up. Starting at concept, going all the way to live on the internet and beyond. I had only a bit of free time this evening. At this point of writing the post I am pushing 3 hours of actively working on this mini-project, not bad. I also did not want to break the bank in any way, so we're coming in at just under $50 for this endeavor.
About Me
I feel like I need to pause for a brief moment to introduce myself, this is the first post after all. I am Jake Hooker, a Security Engineer by trade, and a wannabe hacker, researcher, learner, builder/fixer/fail-er by passion. I'm always looking for new ways to learn, and will hopefully be able to share in that through this and future personal projects. Moving on.
Concept
For awhile I've found myself considering starting a blog. The biggest roadblock has honestly been coming up with a clever name. The basic idea has been to mash my name together with something that was either clever, pun-worthy, or concise and descriptive of what the blog would be about. I also have somewhat of a feeling about certain TLDs that I have some moral conflicts with (looking at you .io). The .tech TLD seemed a natural choice for something that was intended to be a playground for my learnings, thoughts and research. I hit the one-two punch of finding a domain name and Twitter handle that both matched and were available so here we are. The overall goal of this blog is to provide a repository for my work, to share ideas and hopefully to learn a lot in the process.
Registering a Domain
Now for the easy stuff. Domain registrars are a dime a dozen these days. And there's tons of TLDs that are just as cool as a .com. That is a good thing for.. reasons:
As I mentioned earlier I have a budget and it's not in the quadruple, or even triple, digits. Luckily .tech was cheaper, coming in at $40/yr from Google Domains. I will admit that this was NOT a good deal. I should've shopped around, namecheap and others come in considerably cheaper. Looking now I see that securityhooks would've been $3/yr with a 2yr price lock. Lesson learned. I was originally thinking I would be keeping everything on the Google ecosystem, but that plan very quickly changed as I started looking at website builders and hosting options.
Checkpoint: I own a domain name (cost=$40/yr).
Setting Up a Blog
Here's where my inexperience really shines. I genuinely had no clue what people are using for personal sites these days. Professionally I've been exposed to quite a few CMSs, none I loved. I turned to Twitter to find out what some big names were using. We had a few:
- decentsecurity.com (@SwiftOnSecurity) - Squarespace
- malwaretech.com (@MalwareTechBlog) - WordPress
- doublepulsar.com (@GossiTheDog) - Medium
Google supports at least the first two natively so that was where I headed. After seeing hosting fees ($5-$15/month depending on plan) I started to think twice. I had already blown my budget on the overpriced domain name. Enter Blogger, a Google owned service for free blogs. Noting again that this is my first time in this space I figured that would fit nicely in my pre-reqs of able to stand up in my limited time this evening. Blogger seems to be a winner so far, at least getting started. It supports custom domain names and HTTPS, including an option to automatically redirect any HTTP connections. Great. Even better is it is automatically configured if you're using Google as a name server. I opted not to do that, which introduced some minor intricacies, more to follow.
Checkpoint: I selected a platform, Blogger.
Securing the Site
Before rushing out of the gates I stopped to set up a few requirements:
- HTTPS everywhere
- Modern protocols
- WAF/monitoring
- Email on the new domain
This was my basic scope, it ended up expanding as I found more options available for free. It really is amazing what is offered to us these days at little to no cost.
At this point, looking at what I needed and remembering I had already spied on my peers I looked at the common denominator between most of them: Cloudflare. Cloudflare at a surface level acts as a CDN. It also makes my life incredibly simple, I really can't express how happy I am so far with the set up process. I currently have Cloudflare providing proxy services via their free plan. If I want to add true WAF capability I will have to move up to Pro. However they also offer a number of a la carte premium plugins to the free version that will almost certainly cover all of my bases while hosting on Blogger. So with that in mind I created a Cloudflare account and got to work migrating to their platform.
Checkpoint: Still just a simple domain name, no site attached.
Updating Name Servers
This was perhaps the easiest part, as it should be. Google allows you to switch to custom name servers. This will however disable almost all of your settings through Google Domains. I found that while they say all settings are disabled they don't mean all settings. More on that later.
With the free version Cloudflare will provide two primary name servers that will replace the four that Google had originally configured. Cloudflare will also automatically check your DNS record to try to configure it for you. At this point I had not set up the Blogger site so this resulted in a bogus CNAME entry that caused some trouble. However once you do create your blog you will be given the option to point it to your custom domain name, and at that point will be given the correct CNAME configuration:
There is a second entry that ties your account directly to your Google account, which is very convenient for management. Since I only have this blog currently I put it directly on the home page, though you could easily set it to a different sub-domain such as blog. I don't foresee any issues migrating in the future.
Big note: while the CNAME configuration was obviously presented, the A name records for the naked redirect to www was much less so. Google's documentation is great, but not always easy to find (https://support.google.com/blogger/answer/1233387?hl=en&ref_topic=6321959)
Checkpoint: The site lives, it is empty and 'Not Secure'.
Setting up HTTPS
After the name servers were pointed to Cloudflare the fun begins. They have a ridiculous number of options:
Poking around all of their tabs introduced some major scope creep. There are so many more free options than I originally anticipated. The new scope looked more like this:
- Configure HTTPS end-to-end
- Configure DNSSEC
- Disable outdated protocols
- Configure HSTS
- Configure E-mail Forwarding
- ????
I left the last setting open ended because there is much more to be done, but I covered the basics. So starting with HTTPS I found myself in the SSL/TLS tab. There's some conflicting information here that I will try to iron out for everyone. First of all Cloudflare configured itself to use Flexible TLS:
Flexible however does not meet my requirement of end-to-end HTTPS. In fact I personally feel that it's a bit disingenuous to users to claim the site is HTTPS but have HTTP between Cloudflare and the server. Most of the blogs and other write-ups that I read specifically stated that Flexible needed to be used, else a 525 Handshake Failure could occur. That is true, but it should only be temporary. I think Full should be the default setting. It is entirely supported and provides end-to-end encryption. Full (strict) is still an option, but Cloudflare was ambiguous regarding what CAs they trust. The only settings that need to be enabled on Blogger to support HTTPS are here:
You'll notice that Blogger supports its own HTTPS Redirect. That is NOT explicitly required, since Cloudflare should be redirecting itself, but if I ever have to bypass Cloudflare it will at least continue to enforce HTTPS. There is some redundancy on Cloudflare for these settings. Other guides claimed that you have to use a page rule on Cloudflare to enforce HTTPS redirect, as far as I can tell this is no longer true, as they have an option to do it automatically:
There are a number of other settings involving HTTPS as well that were simple toggles to enable including:
- Automatic HTTPS rewrites for mixed content
- TLS 1.3
- Certificate Transparency Monitoring (CTM)
Finally to check off requirement #3 Cloudflare lets you manually select the minimum TLS version you'll accept. After reviewing the traffic I've seen so far (almost all from my own devices) I opted for TLSv1.2:
HSTS was my final TLS related requirement. I opted to go with Cloudflare's default settings for enabling it:
Per their recommendations I enabled HSTS after making sure any 525 Handshake Failures were ironed out.
Checkpoint: The site is still just as empty, but now transport is secure.
Configuring DNSSEC
This was a bit of a new one for me, though Cloudflare provided one of the most concise descriptions of it that I have read thus far (https://support.cloudflare.com/hc/en-us/articles/360006660072).
Simply put DNSSEC provides authentication for DNS requests via PKI. That's it. I'm not sure why it sounded more mystical before, but it's very simply configured when registering with Google (I guess that's one good thing about the $40/yr price tag).
I mentioned earlier that there was a point where Google would renege on their claim that all settings were disabled when using a third party name server. That is proven true here, as you have to register the DS record with Google to enable DNSSEC, ignore their angry banner saying you can't change anything. Again, kudos to Google at least for providing solid documentation (https://support.google.com/domains/answer/6387342?hl=en).
Last but not least, for tonight, I got to work setting up e-mail forwarding.
Checkpoint: Site is up, HSTS is enabled, DNS is digitally signed.
Configuring E-Mail Forwarding
I included this requirement partially because I didn't know any better, but mostly because I wanted a "professional" email to go along with a new site. I also wanted to open a line of communication up with readers, peers and public in case I ever said something so controversial that it needed to be discussed in depth. I did not however feel the desire to host an actual mail server for the domain.
Google came in strong here, since they have Gmail at their disposal they give you the option to easily forward mail.
Many write-ups and blogs say that e-mail forwarding is rare or unnecessary. I disagree. I do not want to create a dedicated mailbox for abuse@securityhook.tech, contact@securityhook.tech, etc. Instead the desire was to be able to have those forwarded directly to me and let inbox rules sort them out.
This can be done by way of MX records. Google once again provides documentation (https://support.google.com/domains/answer/9428703).
This is what it looks like once MX records are set up in Cloudflare's portal. Note the DNS only flag, that's saying Cloudflare will not proxy these connections. That is good, because it wouldn't work if they did. Cloudflare is smart enough to recognize and set them this way automatically.
The actual setting up of an alias needs to be done on Google Domains again. I opted for a basic wildcard alias to get started, but I can just as easily go back and create individual aliases for each virtual inbox I'd like to set up.
Checkpoint: Blog is up, basic security is covered, and there is a reasonable way to contact me.
Wrapping Up
I've now gotten my basics done and I'm ready to get posting. I have a feeling that the next few posts will mostly involve me getting used to Blogger, fiddling around more with settings in Cloudflare and getting some monitoring in place. To verify a few of the things I've done I thought it would be fun to take a look at some of my favorite tools to see how the site does:
Verifying TLS
 |
|
|
Verifying Security Headers
 |
| https://securityheaders.com/?q=securityhook.tech&followRedirects=on |
Uh oh, Scott Helme (@Scott_Helme) disagrees. But we're still technically passing.
Verifying DNSSEC
 |
| https://dnsviz.net/d/securityhook.tech/dnssec/ |
Specs:
- Total time to completion: 2.5 hours
- Total cost: ~$40/yr
Overall I'm more than happy with the results of two hours of work getting a site configured from start to finish. The only cost incurred was the domain name registration; working with Google and Cloudflare was relatively seamless.
Jake Hooker
@securityhook