Google Chrome To Start Blocking HTTP Downloads

Nishi Agrawal
5 min readFeb 24, 2020

--

You won’t be able to download certain files on Chrome from mid-2020, reasons are…

We’ve seen time after time browser giants make security-related changes that have a major impact on end-users, moving the site in a safer direction. It’s Google this time, which has led the effort to block HTTP downloads in the world’s most popular browser, Google Chrome.

Below are the things Google is changing which will be beneficial for the web.

Let’s go ahead,

Why Block HTTP Downloads?

As we are aware, when you visit a non-HTTPS website, Google Chrome and other essential browsers show a “Not Secure” alert. Everyday users are thus told of the dangerous connection to avoid sharing personal sensitive information with that website It played a key role in fostering user consciousness and adoption of HTTPS.

But that’s not enough.

Consider the possibility that a site has an SSL certificate installed yet is unobtrusively serving their record downloads through HTTP. Imagine a scenario where programmers utilize this opening to infuse malware into your framework. It’s positively a chance! In specialized terms, such a blend of HTTP content on a HTTPS site is alluded to as “mixed content.” And with a “mixed download”, most clients could without much of a stretch fall for it as there’s no sign to inform clients when the download interface is HTTP. It’s very an opening in HTTPS security, and Google has chosen to fill it by blocking HTTP downloads from HTTPS sites.

What Is Going to Be Blocked?

Chrome 83 (to be released in June 2020) will start blocking “the file types that present the greatest risk to users,” as per Google’s announced plan. These types of files include executable files such as.exe and .apk. Google will also include other file types in successive Chrome releases, and eventually block all file types in Chrome 86, to be announced in October 2020. So, after October 2020 (if you update Chrome), when you click the download link from an HTTPS URL, you won’t be able to access any file that is being served over HTTP.

Remember that users can still download HTTP files if a website uses HTTP. This update targets HTTPS sites using HTTP encrypt URLs, as the browser shows that the web page is safe, but the download is not safe.

Google’s 6 Phased Approach to Blocking

In spite of the fact that the blocking procedure will be started with the arrival of Chrome 83, Google first needs to instruct clients and furthermore give time for site owners to expel mixed content from their sites. That is the reason Chrome 81 (to be delivered from March 2020) will give a support console warning message about mixed content downloads.

Image source: Google’s Chromium Blog (https://blog.chromium.org/2020/02/protecting-users-from-insecure.html)

Google break this cycle, which begins in March, into 6 stages. Google’s outline for desktop platforms (Windows, macOS, Chrome OS, and Linux) is given here:

Ø Chrome 81 (to be released in March 2020) — Chrome will print a console message to caution website admins about all the downloads with the mixed contents.

Ø Chrome 82 (to be released in April 2020) — Chrome will start informing users for mixed content downloads of executables (.exe, .apk, etc.) and will display an alert console for all other file types.

Ø Chrome 83 (to be released in June 2020) — This is when they initiate the blocking process. Chrome will start blocking executables containing mixed content. It will also warn users on archives of mixed content (.zip, .iso, etc.). Computer alerts will start on all other forms of files.

Ø Chrome 84 (to be released in August 2020) — Chrome will extend its block-list to include files and disk images. Chrome can present an alert to users on other mixed content file types such as .pdf and.docx formats. Console warnings will start with images, audio, and video files.

Ø Chrome 85 (to be released in September 2020) — Chrome blocks all files except for images, audio, and video. Before downloading those files, a warning message will be displayed to users.

Ø Chrome 86 (to be released in October 2020) — When you click a download link via an HTTP website, Chrome will block all content that is served on non-secure HTTP. In other words, Chrome will block all files of mixed content.

Graphic source: Google’s Chromium Blog (https://blog.chromium.org/2020/02/protecting-users-from-insecure.html)

Chrome will delay deployment by one launch for mobile phones (Android and iOS). Which means it’ll start showing alerts in Chrome 83, rather than Chrome 82.

Does Your Website Have Mixed Content?

This upgrade to Google Chrome will not only cause hackers to change their strategy but will also allow certain internet sites to adopt a new look at their website. A lot of website administrators may not even know what mixed content they have on their website. Okay, we’re here to help.

To check mixed content/insecure links on your website, you can go to our “Why No Padlock?” tool and get all mixed content links at your fingertips. You can move it to HTTPS to protect your website until you know what mixed content you have on your site.

Concluding Words

While Google has put a great deal of effort into bringing vulnerable websites to migrate to HTTPS and increase user consciousness of HTTPS, I have always thought that mixed content was an aspect that needed addressing. Google has now descended on mixed content downloads, and this will clearly mark an achievement in improving protection and security on the web. We trust and anticipate that different programs should stick to this same pattern to ensure client protection and security.

--

--

Nishi Agrawal

Management Student, Digital Marketing Enthusiastic Interested in Web Security and Internet topics. Young Mind with creative thinking capabilities.