Chrome to start blocking insecure HTTP file downloads from HTTPS sites

Adam Bannister February 10, 2020 at 14:26 UTC

Updated: May 11, 2020 at 07:56 UTC

HTTPS padlock gives users a false sense of security when downloading files

Chrome will begin blocking HTTP downloads started on secure web pages (HTTPS) – known as “mixed content downloads” – as part of a phased rollout culminating with the release of Chrome 86 in October.

In an article posted to the Google Security Blog last week, Joe DeBlasio of the Chrome Security Team discusses how mixed content downloads of executables such as .exe – the most common vehicles for malware – would initially be stuck in june version of Chrome 83.

Download restrictions, which were first set in April 2019, will then expand to include archives (.zip) and disk images (.iso) in Chrome 84, which is slated to roll out in August, and then other mixed content besides images, audio, video, and text in Chrome 85 in September.

In Chrome 86 and beyond (released October 2020), Chrome will block all downloads of mixed content.

Google launches gradual rollout of mixed content downloads

Positive confidence indicators

Although encrypted HTTPS sites are inherently more secure than HTTP sites, if they host files downloaded using the HTTP protocol, they could still put users at risk.

Google is acting out of fears that many users will see “HTTPS” and the accompanying padlock in a site’s address bar as indicators that all files available for download on the page will also be secure.

“All unsecured downloads are bad for privacy and security,” DeBlasio said in a Twitter feed explaining the movement. “A spy can see what a user is downloading, or an active attacker can trade the download for a malicious download.”

Speaking to the developers, the security engineer added, “Think of it as a mixed content block, but for downloads. You cannot upload unsecured content to your HTTPS page, nor should you upload unsecured files.

Gradual deployment

Chrome 81 (which will also be removing support for TLS) will kick off the rollout in March with a console message warning about mixed content downloads.

The changes will take effect a later version for Android and iOS mobile platforms, which would have “better native protection” against malicious files.

Learn about the latest browser security news

“This phased rollout is designed to quickly mitigate the worst risks, give developers the ability to update sites and minimize the number of warnings Chrome users see,” DeBlasio said.

He also urged developers to “fully migrate to HTTPS to avoid future restrictions and fully protect their users.”

The blog post further discusses how developers can enable a warning on all downloads of mixed content to test in the current version of Chrome Canary, and how business and education customers can turn off the site-by-site blocking. .

RELATED Editing Chrome SameSite Cookie Should Result in ‘Modest’ Global Website Disruption

Sam D. Gomez