Google began the narrative back in October 2019 about gradually moving to allow only secured sub-resources load on secure HTTPS pages. The firm referred to mixed content such as insecure scripts or images that loaded insecurely over HTTPS. This poses a security risk where malicious content could be served through such sources even on secure pages. With the release of Chrome 80, the firm began auto-upgrading mixed audio and video content, when possible, or began notifying users of such content through a notification in the Omnibox.
The next step that the search giant is taking to protect users on secure sites is to eventually block insecure downloads on Chrome. The firm announced that it will gradually begin warning users of insecure downloads when such content is being downloaded from a secure website. It has also provided a timeline of what kind of content it plans to warn about and block with each future release of the browser.
Insecure downloads in Chrome are currently not flagged to a user. The firm says that “Insecurely-downloaded files are a risk to users' security and privacy”. Therefore, beginning with Chrome 82 that will be released sometime in April 2020, the firm will begin warning users of potentially harmful and insecure downloads of executables such as .exe and .apk files. Such files will begin being blocked entirely in subsequent releases. Other types of mixed content such as archives, documents, and media content will follow.
The Mountain View company aims to roll out these restrictions on desktop platforms such as Windows, macOS, Chrome OS, and Linux first. It says that it will delay the rollout of this feature for Android and iOS users by one release since mobile OSes have “better native protection against malicious files”. This means that the warnings on those platforms will begin with Chrome 83.
Developers are being urged to begin migrating to HTTPS content. Currently, on Chrome Canary, developers can enable a warning for all mixed content downloads for testing. Enterprise and Education users can disable the blocking of content on a per-site basis.
12 Comments - Add comment