New Google Chrome Feature Will Safeguard Web Browser Against Insecure Downloads
Malware is a major problem and spreads easily through insecure downloads over the web. As such, Google's Chrome browser will begin to block "mixed content downloads" in order to guarantee that HTTPS (SSL secured) pages are only able to download secure files. Google's plan will be rolled out over various upcoming iterations of Chrome.
Hypertext Transfer Protocol Secure (HTTPS) pages are intended to be secure ways to send data over a computer network. However, their security can be compromised by mixed content downloads or non-HTTPS secured transmission of files. Mixed content downloads are vulnerable to attackers and can do major damage to users. The plan is for the Chrome browser to therefore slowly block more and more various forms of mixed content downloads over the next year.
This coming March, Chrome 81 for desktop will print a console message warning about all forms of mixed content downloads. Chrome 82 will be released in April and will warn users about executables like “.exe” and “.apx”. Chrome 83 will be the first version to actually block mixed content downloads. It will block executables and then warn users about mixed content archives and disk images like “.zip” and “.iso”.
Image via Chromium Blog
Insecure images, audio, video, and text files will be the last downloads to be blocked. All mixed content downloads will be blocked in October 2020 with Chrome 86. Android and iOS Chrome users will not see any warnings until the release of Chrome 83. Google noted that they are trying to give developers a little bit of time to update apps and even web properties.
Joe DeBlasio from the Chrome Security team encourages “...developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users.” Google stated that they do plan to add more download restrictions in the future. Tools such as “Let’s Encrypt” could be a great resource for small companies, institutions, and non-profits who do not otherwise have the funding to switch over to HTTPS, which can be a big migration for certain apps.
Google has also begun to restrict third-party cookies with the recently released Chrome 80. Its new scheme to classify cookies is intended to protect user security and privacy while still allowing some targeted advertising. The plan will be rolled out over the next few months and is currently only available to some early adopters.