Google Protecting users from insecure downloads in Google Chrome

Page 1 of 2 12 LastLast
    Google Protecting users from insecure downloads in Google Chrome

    Google Protecting users from insecure downloads in Google Chrome


    Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking "mixed content downloads" (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.

    Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.

    As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.

    Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.

    We plan to roll out restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. Our plan for desktop platforms is as follows:



    • In Chrome 81 (released March 2020) and later:
      • Chrome will print a console message warning about all mixed content downloads.


    • In Chrome 82 (released April 2020):
      • Chrome will warn on mixed content downloads of executables (e.g. .exe).


    • In Chrome 83 (released June 2020):
      • Chrome will block mixed content executables.
      • Chrome will warn on mixed content archives (.zip) and disk images (.iso).


    • In Chrome 84 (released August 2020):
      • Chrome will block mixed content executables, archives and disk images.
      • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.


    • In Chrome 85 (released September 2020):
      • Chrome will warn on mixed content downloads of images, audio, video, and text.
      • Chrome will block all other mixed content downloads.


    • In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.


    Example of a potential warning

    Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.

    Developers can prevent users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the "Treat risky downloads over insecure connections as active mixed content" flag at chrome://flags/#treat-unsafe-downloads-as-active-content.

    Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.

    In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at security-dev@chromium.org.


    Posted by Joe DeBlasio, Chrome Security team


    Source: Chromium Blog: Protecting users from insecure downloads in Google Chrome
    Brink's Avatar Posted By:

  1. Golden's Avatar
    Posts : 1,646
    Windows 10 Pro x64
       #1

    Great news
      My Computers

  2. NMI's Avatar
    NMI
    Posts : 799
    Windows 10 Pro, Version 20H2
       #2

    What's "print a console message warning" when translated from GoogleSpeak, since it's distinct from "warn"?
      My Computer

  3. Phone Man's Avatar
    Posts : 1,343
    Windows 10 Pro 1909 64 bit
       #3

    It will be interesting to see if MS Edge does the same. I am assuming that this is a feature in the Chromium builds which Chrome and Edge both use.

    Jim
      My Computer

  4. Steve C's Avatar
    Posts : 6,667
    Windows 10 Pro 64 bit
       #4

    Do these changes make Chrome more secure than Edge?
      My Computers

  5. Golden's Avatar
    Posts : 1,646
    Windows 10 Pro x64
       #5

    Steve C said:
    Do these changes make Chrome more secure than Edge?
    If this is only available in Chrome, then yes. It's not clear at this stage whether this will be implemented for all Chromium-based browsers.
      My Computers

  6. pietcorus2's Avatar
    Posts : 1,756
    Windows 10 Pro x64
       #6

    Not good for privacy at all !
    May we , please, decide for ourself what to download and what not , very annoying when "your " browser will decide what you may download and what not, they are cutting away one of the few things left ..........
      My Computer

  7. cyberloner's Avatar
    Posts : 14
    Windows 10 LTSC 2019
       #7

    block download mp3 ... lol
      My Computer

  8. NMI's Avatar
    NMI
    Posts : 799
    Windows 10 Pro, Version 20H2
       #8

    pietcorus2 said:
    Not good for privacy at all !
    Privacy is the main reason for requiring all downloads to be via HTTPS!
      My Computer

  9. pietcorus2's Avatar
    Posts : 1,756
    Windows 10 Pro x64
       #9

    " block download mp3 ... lol "............what do you mean , not able to download mp3 anymore ??
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 20:07.
Find Us




Windows 10 Forums