Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Chrome Will Block Insecure Downloads on HTTPS Pages

In an attempt to improve the security of its users, the Chrome browser will soon start blocking insecure downloads on HTTPS pages, Google announced.

The plan, which the Internet giant laid out this week, is expected to be completed sometime in the fall, when Chrome 86 arrives.

In an attempt to improve the security of its users, the Chrome browser will soon start blocking insecure downloads on HTTPS pages, Google announced.

The plan, which the Internet giant laid out this week, is expected to be completed sometime in the fall, when Chrome 86 arrives.

The announcement comes just days after the release of Chrome 80, which by default blocks mixed audio and video resources if they cannot be automatically upgraded to HTTPS. The same will happen with image files in Chrome 81, which is expected to be released to the stable channel in March 2020.

In the long term, Google’s plan is to block all insecure subresources on secure pages, as they represent a risk for users. Files that are downloaded insecurely could be replaced by attackers with malware, or exposed to eavesdroppers.

“To address these risks, we plan to eventually remove support for insecure downloads in Chrome,” the Internet giant says.

In the initial phase, the focus is on insecure downloads started on secure pages, and the first step is to display warnings. The restrictions for mixed content downloads, Google says, will be pushed to all desktop platforms first.

Executable files will be impacted first, with Chrome 82 displaying a warning on them and Chrome 83 blocking them.

Next in line will be archives and disk image files (a warning in Chrome 83 and blocked starting with Chrome 84), followed by other non-safe file types such as PDF and Word documents (a warning in Chrome 84 and blocking in Chrome 85).

Advertisement. Scroll to continue reading.

Chrome 85 will warn of mixed content downloads of images, audio, video, and text, and will block all other mixed content downloads, while Chrome 86, which is expected to arrive in the stable channel in October 2020, will completely block all mixed content downloads.

“Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users,” Google says.

To ensure their users never see a download warning, developers should ensure that all files are served over HTTPS only.

For testing purposes, developers can already activate a warning on all mixed content downloads in the current version of Chrome Canary, or in Chrome 81 once released. For that, they need to enable the “Treat risky downloads over insecure connections as active mixed content” flag at chrome://flags/#treat-unsafe-downloads-as-active-content.

For enterprises and educational institutions, Google provides an option to disable blocking on a per-site basis via the InsecureContentAllowedForUrls policy, by adding a pattern that matches the page that requests the insecure download.

“In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users,” Google concludes.

Related: Chrome 80 Released With 56 Security Fixes

Related: Google Halts Publishing of Paid Chrome Extensions Due to Fraud

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...