Security News > 2020 > February > Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this

Continuing to drop flame retardant on the dumpster fire that is web security, Google on Thursday said it will soon prevent Chrome users from downloading files over insecure, plain old, unencrypted HTTP. "All insecure downloads are bad for privacy and security," declared Joe DeBlasio, who works on the Chrome security team, in a Twitter thread. "An eavesdropper can see what a user is downloading, or an active attacker can swap the download for a malicious one."

"We hope to stop all unsafe downloads, but Chrome doesn't currently tell users on HTTPS pages that their downloads are insecure. That's weird! Users expect that what they do on secure pages to be... well secure! So we're blocking these downloads first."

Specifically, Google is going after mixed content, resources like files, images, and scripts that get loaded over insecure HTTP connections from a webpage that has been served over a secure HTTPS link.

Consistently insecure content - files served via HTTP from HTTP websites - are not affected by this change; only HTTPS sites will lose the ability to provide files via HTTP to Chrome users.

In August, insecure executables and archives get blocked by default and other types of insecurely served files will prompt download warnings.

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/07/google_chrome_blocking/