Google announced in a blog post today that it is taking the next step toward protecting users from insecure downloads.
Over the last couple of years, more and more websites are using HTTPS to secure traffic to their websites. One potential attack vector is when downloadable files are not secure on otherwise secure websites.
“For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements,” the post reads.
As a result, Google is planning to gradually start blocking “mixed content downloads,” or insecure downloads from secure pages.
“As a first step, we are focusing on insecure downloads started on secure pages,” the post continues. “These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
“Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.”
Starting with Chrome 82 (released April 2020) the desktop version will start giving warnings when it encounters executable mixed content downloads, and increase the warnings and levels taken to block it with each subsequent release. By Chrome 86 (released October 2020) all mixed content downloads will be blocked. Because mobile platforms inherently provide a greater degree of security, Google plans to wait until Chrome 83 to implement warnings on iOS and Android.
This is another good step by the world’s biggest browser maker to help keep users safe and secure.