Security News > 2020 > February > Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this
Continuing to drop flame retardant on the dumpster fire that is web security, Google on Thursday said it will soon prevent Chrome users from downloading files over insecure, plain old, unencrypted HTTP. "All insecure downloads are bad for privacy and security," declared Joe DeBlasio, who works on the Chrome security team, in a Twitter thread. "An eavesdropper can see what a user is downloading, or an active attacker can swap the download for a malicious one."
"We hope to stop all unsafe downloads, but Chrome doesn't currently tell users on HTTPS pages that their downloads are insecure. That's weird! Users expect that what they do on secure pages to be... well secure! So we're blocking these downloads first."
Specifically, Google is going after mixed content, resources like files, images, and scripts that get loaded over insecure HTTP connections from a webpage that has been served over a secure HTTPS link.
Consistently insecure content - files served via HTTP from HTTP websites - are not affected by this change; only HTTPS sites will lose the ability to provide files via HTTP to Chrome users.
In August, insecure executables and archives get blocked by default and other types of insecurely served files will prompt download warnings.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/07/google_chrome_blocking/
Related news
- New details reveal how hackers hijacked 35 Google Chrome extensions (source)
- Google Chrome is making it easier to share specific parts of long PDFs (source)
- Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking (source)
- Google Chrome's AI-powered security feature rolls out to everyone (source)
- Google Chrome disables uBlock Origin for some in Manifest v3 rollout (source)
- Google to kill Chrome Sync on older Chrome browser versions (source)