If you’re dealing with UK government websites, bend waaaaaaaay over and kiss your keester

Actually, the best solution is to use Chrome or Firefox, but….

Every single Windows patch this month has broken a protocol known as HSTS for domains that end in gov.uk.

From Wikipedia:

HSTS allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections, and never via the insecure HTTP protocol.

Poster @magic describes it this way:

“gov.uk” is the main site for the UK government. It’s used for online applications for car tax, passports, driving licenses. That sort of very important stuff which requires a secure connection, and has been HTTPS for years.

Then you get a level down to local government, where there’s 400+ local councils. They have placename.gov.uk domains, which this just broke as we got no warning that HSTS was being enforced. I’m an infrastructure tech for for a local council with 250,000 residents. A bunch of internal systems (that don’t require HTTPS) stopped working after I got the patches to test on Wednesday morning.

For us it prevents access to the publicly accessible democracy data and the planning system among others. Both of these are maintained by external systems providers so it’s not a five minute job to add a certificate. The main website is fine for us, other councils don’t even have HTTPS enabled on those. I got a tweet before from someone advising that reading.gov.uk and doncaster.gov.uk are inaccessible.

Like I said, bend waaaaaaaay over.

The culprit? Microsoft has just fessed up:

Unable to access some gov.uk websites

After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Affected platforms:

• Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
• Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1

Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.

Tell me again who tests this stuff. Certainly nobody running Win10 1809, 1803, 1709, 1703, 1607, 1507, Win 8.1, Win 7, Server 1809, Server 2019, Server 1803, Server 1709, Server 2016, Server 2012 R2, Server 2012, or Server 2008 R2 who’s using IE or Edge to access UK government sites.

Did I leave anybody out?

UPDATE: Do you use Avast? See this anonymous post:

Here’s the link directly to the Avast site, but be warned: I can no longer see it with any browser ever since installing the May MS updates as recommended by @woody. The cause is probably due to a lack of full support for HSTS on their site, as it’s based in the UK.

And now you know why I hated SO much to recommend that Win7 users install this month’s update.