Some GOV.UK Sites Unreachable Due to HSTS Changes in Windows Updates

Windows updates released this month are causing some GOV.UK sites to become unreachable due to the GOV.UK TLD being added to Microsoft's HSTS preload list. This causes Microsoft Edge and Internet Explorer to only connect via HTTPS, which some of GOV.UK the sites do not support, and thus making them unreachable.

HTTP Strict Transport Security (HSTS) is a directive that a web server can send to browsers to tell them that they only support secure connections. When a browser receives this directive, it will cause all insecure requests to the site to automatically be redirected to secure requests.

For example, if the site www.example.com is using HSTS, any requests to http://www.example.com will be redirected to https://www.example.com.

Before a browser knows about a server's HSTS policy, it can still make a connection to an HTTP URL, which is insecure. To prevent this from happening, browsers bundle a HSTS Preload List, which contains a list of sites that are known to support secure connections so that the browser never connects to them using the insecure HTTP protocol.

Microsoft adds GOV.UK to their HSTS Preload List

On May 14th, 2019, Microsoft released the  Windows 10 KB4494441 update, Windows 8.1 KB4499151 update, and Windows 7 KB4499164 update, which added the GOV.UK domain to their HSTS Top Level Domains preload list. This means that Microsoft Edge and Internet Explorer 11 will only connect to a GOV.UK site via HTTPS.

"Adds "gov.uk" to the HTTP Strict Transport Security Top Level Domains (HSTS TLD) for Internet Explorer and Microsoft Edge."

Unfortunately, not every GOV.UK site supports HTTPS and thus those sites are now unreachable in Microsoft Edge and Internet Explorer. Some of the known GOV.UK sites that are affected include www.doncaster.gov.uk, www.reading.gov.uk, and www.southglos.gov.uk.

We were first notified about this by Richard Carde, who told BleepingComputer that this is affecting various organizations that rely on these sites for their day to day operations.

The good news is that Microsoft is aware of the problem and have updated the support articles for these Windows updates to state that they are working on a fix.

After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

Microsoft is working on a resolution and will provide an update as quickly as possible.

If you really need to have Internet Explorer or Edge working with these now unreachable sites, you can disable HSTS in Windows 7 and Windows 81. This is not recommended, though, as HSTS is a security feature.

For Windows 10 users, the ability to disable HSTS has been removed and users will have to wait for Microsoft to issue a fix.