News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Microsoft released fixes for IE “gov.uk” HSTS bug – on a Saturday – but only for Win7 and 8.1

    Posted on May 18th, 2019 at 21:50 woody Comment on the AskWoody Lounge

    Make of this what you will.

    Today, Saturday, Microsoft released KB 4505050, a “Cumulative update for Internet Explorer: May 18, 2019” that applies to

    Internet Explorer 11 on Windows Server 2012 R2Internet Explorer 11 on Windows Server 2012Internet Explorer 11 on Windows Server 2008 R2 SP1Internet Explorer 11 on Windows 8.1 UpdateInternet Explorer 11 on Windows 7 SP1Internet Explorer 11 on Windows Embedded 8 Standard

    Its sole purpose is given as

    Addresses an issue that may prevent access to some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) when using Internet Explorer 11 or Microsoft Edge.

    If you’re dealing with UK government sites, and using Win7 or 8.1 with IE 11, you might want to get patched up.

    The notice on the Release Information page that said this bug was solved? It still says that the bug’s been solved, but now there’s an added reference to KB 4505050.

    I see no change at all for any of the other versions of Windows. And there are many.

  • If you’re dealing with UK government websites, bend waaaaaaaay over and kiss your keester

    Posted on May 17th, 2019 at 14:36 woody Comment on the AskWoody Lounge

    Actually, the best solution is to use Chrome or Firefox, but….

    Every single Windows patch this month has broken a protocol known as HSTS for domains that end in gov.uk.

    From Wikipedia:

    HSTS allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections, and never via the insecure HTTP protocol.

    Poster @magic describes it this way:

    “gov.uk” is the main site for the UK government. It’s used for online applications for car tax, passports, driving licenses. That sort of very important stuff which requires a secure connection, and has been HTTPS for years.

    Then you get a level down to local government, where there’s 400+ local councils. They have placename.gov.uk domains, which this just broke as we got no warning that HSTS was being enforced. I’m an infrastructure tech for for a local council with 250,000 residents. A bunch of internal systems (that don’t require HTTPS) stopped working after I got the patches to test on Wednesday morning.

    For us it prevents access to the publicly accessible democracy data and the planning system among others. Both of these are maintained by external systems providers so it’s not a five minute job to add a certificate. The main website is fine for us, other councils don’t even have HTTPS enabled on those. I got a tweet before from someone advising that reading.gov.uk and doncaster.gov.uk are inaccessible.

    Like I said, bend waaaaaaaay over.

    The culprit? Microsoft has just fessed up:

    Unable to access some gov.uk websites

    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.
    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.

    Tell me again who tests this stuff. Certainly nobody running Win10 1809, 1803, 1709, 1703, 1607, 1507, Win 8.1, Win 7, Server 1809, Server 2019, Server 1803, Server 1709, Server 2016, Server 2012 R2, Server 2012, or Server 2008 R2 who’s using IE or Edge to access UK government sites.

    Did I leave anybody out?

    UPDATE: Do you use Avast? See this anonymous post:

    Here’s the link directly to the Avast site, but be warned: I can no longer see it with any browser ever since installing the May MS updates as recommended by @woody. The cause is probably due to a lack of full support for HSTS on their site, as it’s based in the UK.

    And now you know why I hated SO much to recommend that Win7 users install this month’s update.