Chrome to start blocking insecure HTTP file downloads from HTTPS sites

Adam Bannister February 10, 2020 at 14:26 UTC
Updated: May 11, 2020 at 07:56 UTC
HTTPS padlock gives users a false sense of security when downloading files
Chrome will begin blocking HTTP downloads started on secure web pages (HTTPS) – known as âmixed content downloadsâ – as part of a phased rollout culminating with the release of Chrome 86 in October.
In an article posted to the Google Security Blog last week, Joe DeBlasio of the Chrome Security Team discusses how mixed content downloads of executables such as .exe – the most common vehicles for malware – would initially be stuck in june version of Chrome 83.
Download restrictions, which were first set in April 2019, will then expand to include archives (.zip) and disk images (.iso) in Chrome 84, which is slated to roll out in August, and then other mixed content besides images, audio, video, and text in Chrome 85 in September.
In Chrome 86 and beyond (released October 2020), Chrome will block all downloads of mixed content.
Google launches gradual rollout of mixed content downloads
Positive confidence indicators
Although encrypted HTTPS sites are inherently more secure than HTTP sites, if they host files downloaded using the HTTP protocol, they could still put users at risk.
Google is acting out of fears that many users will see “HTTPS” and the accompanying padlock in a site’s address bar as indicators that all files available for download on the page will also be secure.
âAll unsecured downloads are bad for privacy and security,â DeBlasio said in a Twitter feed explaining the movement. “A spy can see what a user is downloading, or an active attacker can trade the download for a malicious download.”
Speaking to the developers, the security engineer added, âThink of it as a mixed content block, but for downloads. You cannot upload unsecured content to your HTTPS page, nor should you upload unsecured files.
Gradual deployment
Chrome 81 (which will also be removing support for TLS) will kick off the rollout in March with a console message warning about mixed content downloads.
The changes will take effect a later version for Android and iOS mobile platforms, which would have âbetter native protectionâ against malicious files.
Learn about the latest browser security news
âThis phased rollout is designed to quickly mitigate the worst risks, give developers the ability to update sites and minimize the number of warnings Chrome users see,â DeBlasio said.
He also urged developers to “fully migrate to HTTPS to avoid future restrictions and fully protect their users.”
The blog post further discusses how developers can enable a warning on all downloads of mixed content to test in the current version of Chrome Canary, and how business and education customers can turn off the site-by-site blocking. .
RELATED Editing Chrome SameSite Cookie Should Result in ‘Modest’ Global Website Disruption