{"id":7243,"date":"2020-02-10T13:55:00","date_gmt":"2020-02-10T13:55:00","guid":{"rendered":"https:\/\/gtechbooster.com\/?p=7243"},"modified":"2026-01-03T15:26:17","modified_gmt":"2026-01-03T15:26:17","slug":"chrome-to-block-http-downloads","status":"publish","type":"post","link":"https:\/\/gtechbooster.com\/chrome-to-block-http-downloads\/","title":{"rendered":"Chrome to block HTTP downloads"},"content":{"rendered":"\n

Google Chrome will soon restrict certain files, like PDFs or \nexecutables, from being downloaded via an HTTP connection \u2013 even if they\n are loaded on HTTPS webpages.<\/p>\n\n\n\n

\"\"<\/a><\/div><\/div>

HTTPS indicates that a website has an encrypted connection. When connecting to an HTTP website, browsers merely look up the IP address and send data over to it in clear text. When using an HTTPS website, on the other hand, the browser checks that it has a legitimate SSL certificate before sending data in encrypted form \u2013 preventing man-in-the-middle (MiTM) attacks and more.<\/p>\n\n\n\n

With Chrome 56\u2019s 2018 release, Chrome cracks down on sites that don’t use encryption<\/strong> ie. HTTP websites with an \u201cinsecure\u201d warning label in the navigation bar. However, just because websites use an HTTPS connection does not guarantee that they are safe from all threats. For example, phishing landing pages can easily make use of SSL certificates. Similarly, HTTPS websites can still serve up images, scripts or other file types that are downloaded using the less-secure HTTP connection.<\/p>\n\n\n\n

Starting in Chrome 82, set to be released in April, Google wants to \nuproot this issue by first warning users of, and later blocking, \u201cmixed \ncontent downloads,\u201d over HTTP, which could consist of HTTP executables \n(such as .exe and .apk files), archives (like .zip or .iso files), \nmultimedia files (such as .png, .mp3 files) and all other \u201cnon-safe\u201d \ntypes (.pdf, .docx, etc.).<\/p>\n\n\n\n

\"Chrome<\/a>
Chrome HTTP Blocking Chart<\/figcaption><\/figure><\/div>\n\n\n\n

\u201cInsecurely-downloaded files are a risk to users\u2019 security and privacy,\u201d said Joe DeBlasio, with the Chrome Security Team, in a Thursday post<\/a>. \u201cFor instance, insecurely downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users\u2019 insecurely downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.\u201d<\/p>

\"\"<\/a><\/div><\/div>\n\n\n\n

Google, which first dropped proposals<\/a>\n around this idea last April, has outlined a roadmap to eventually ban \nthe files downloads in question over the next seven months. Starting \nwith Chrome 82, Google Chrome will first merely warn users if they are \ndownloading executables using an HTTP connection \u2013 then, with Chrome 83 \n(June 2020) the browser will begin to block them. It will do the same \nwith other mixed content downloads until blocking everything in Chrome \n86, set to be released September 2020.<\/p>\n\n\n\n

\u201cFile types that pose the most risk to users (e.g., executables) will\n be impacted first, with subsequent releases covering more file types,\u201d \naccording to DeBlasio. \u201cThis gradual rollout is designed to mitigate the\n worst risks quickly, provide developers an opportunity to update sites,\n and minimize how many warnings Chrome users have to see.\u201d<\/p>\n\n\n\n

The gradual rollout will also give developers a head start toward fully migrating to HTTPS by ensuring that downloads on their websites also use HTTPS connections. Google also said that in the current version of Chrome Canary (Google\u2019s web browser aimed for developers) and in Chrome 81 (once it\u2019s released), developers can activate a warning on all mixed content downloads for testing by enabling the \u201cTreat risky downloads over insecure connections as active mixed content\u201d flag at [chrome:\/\/flags\/#treat-unsafe-downloads-as-active-content].<\/p>\n\n\n\n

Fausto Oliveira, principal security architect at Acceptto, told Threatpost the move is a \u201cgood idea.\u201d<\/p>\n\n\n\n

\u201cWe have been using HTTPS as the de facto standard for web pages, however, annoyingly some implementations such as those mentioned by Google (i.e. banking statements) come to your browser unencrypted,\u201d he said. \u201cThis allows anyone in the middle to have access to confidential data. I hope that this move by Google leads to other browsers following and also blocking the download of files from unencrypted connections.\u201d<\/p> Fausto Oliveira, principal security architect at Acceptto <\/cite><\/blockquote>\n\n\n\n

More Information<\/h2>\n\n\n\n