Google Takes Steps To Block Insecure Web Downloads on Chrome
Starting April, Google will implement a process to warn users of its Chrome browser about potentially insecure Web site downloads.
This effort will kick off with Chrome version 82, which will start warning users about insecure executable files on sites, a Thursday Google announcement explained. The warnings about executable files is just the first in a series. Eventually, future Chrome browser releases will distrust and block all insecure content downloads.
Other file types on Web sites pose security risks. Future Chrome browser releases also will warn end users about archive files and document files, as well as image, audio and video files.
Chrome users first will get warnings about the insecure files. Later, site downloads will get blocked. Here's Google's schedule on when those actions will occur for desktop operating system users:
The schedule will occur a little later for Android and iOS mobile OS users. It'll be off by one Chrome version release.
Google had explained the security issue back in October as a sort of "mixed messages" problem, where HTTPS connections also rely on content that's downloaded via the less secure HTTP protocol:
HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, which threatens users' privacy and security.
The mixed use of protocols creates a confused security state for browsers. It also can be exploited by attackers. For instance, misleading investment stock charts can be added to seemingly secure Web sites or tracking cookies can be injected, Google explained.
Site developers can avoid the coming warnings and blocks for Chrome users by ensuring that only the HTTPS protocol is used for downloads. It's possible to test turning on these warnings with the current Chrome Canary test version of the browser.
Blocking can be disabled at sites, but doing so will be moving contrary to Google's direction, which is to "further restrict insecure downloads in Chrome."
Back in October, Google had indicated that Chrome version 80 would start permitting mixed images to load in browsers, but users would see a "Not Secure" message in the browser's "omnibox" up top. Chrome 80 also was said back then to compel the loading of audio and video files via HTTPS, blocking downloads that failed.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.