Google Chrome will soon block insecure downloads on HTTPS pages
Google recently rolled out the Chrome 80 stable update to Android and desktop. As part of the update, Google introduced a number of new features, including the auto-upgrade mixed content feature we learned about back in October last year. This new feature is part of Google’s plan to secure the web with HTTPS. Now, in a bid to make HTTPS pages even more secure, Google Chrome will also block insecure downloads on secure pages soon.
In the blog post, Google claims that insecurely downloaded files are a risk to users’ privacy and security. Such files can easily be swapped out for malware by attackers and they can also be at risk of being read by eavesdroppers. In order to address these risks, the company plans to eventually remove support for insecure downloads in Google Chrome. Blocking insecure downloads on HTTPS pages is the first step Google is taking towards this measure. This is crucial because currently Chrome doesn’t indicate users that their privacy and security are at risk while they’re downloading content on secure pages.
Starting with Chrome 82, which is expected to be released in April 2020, Chrome will gradually start warning users (as seen above) about mixed content downloads. These downloads will be blocked completely at a later stage. This change will first impact file types that pose the most risk to users, like executables, and then address more file types in subsequent releases. Google claims that the gradual rollout is “designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.”
At first, Google will roll out these restrictions on mixed content downloads on desktop platforms, starting with Chrome 81. Here’s the detailed timeline for restrictions on desktop platforms:
- In Chrome 81 (released March 2020) and later:
- Chrome will print a console message warning about all mixed content downloads.
- In Chrome 82 (released April 2020):
- Chrome will warn on mixed content downloads or executables (e.e. .exe).
- In Chrome 83 (released June 2020):
- Chrome will block mixed content executables
- Chrome will warn on mixed content archives (.zip) and disk images (.iso).
- In Chrome 84 (released August 2020):
- Chrome will block mixed content executables, archives and disk images
- Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
- In Chrome 85 (released September 2020):
- Chrome will warn on mixed content downloads of images, audio, video, and text
- Chrome will block all other mixed content downloads
- In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
These restrictions will be delayed by one release for Android and iOS users, with warning starting in Chrome 83. Google claims that since mobile platforms have better native protection against malicious files, the delay will give developers a head-start towards updating their websites before users are impacted. Developers can ensure that downloads only use HTTPS in case they don’t want users to ever see a download warning.
Additionally, in the current version of Chrome Canary, or in Chrome 81 once released, developers can also activate a warning on all mixed content downloads for testing by enabling the “Treat risky downloads over insecure connections as active mixed content” flag. Google plans to further restrict insecure downloads in Google Chrome in the future and to this effect, the company has urged developers to fully migrate to HTTPS in order to avoid restrictions.
Source: Google Security Blog