Security News > 2020 > February > Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this
Continuing to drop flame retardant on the dumpster fire that is web security, Google on Thursday said it will soon prevent Chrome users from downloading files over insecure, plain old, unencrypted HTTP. "All insecure downloads are bad for privacy and security," declared Joe DeBlasio, who works on the Chrome security team, in a Twitter thread. "An eavesdropper can see what a user is downloading, or an active attacker can swap the download for a malicious one."
"We hope to stop all unsafe downloads, but Chrome doesn't currently tell users on HTTPS pages that their downloads are insecure. That's weird! Users expect that what they do on secure pages to be... well secure! So we're blocking these downloads first."
Specifically, Google is going after mixed content, resources like files, images, and scripts that get loaded over insecure HTTP connections from a webpage that has been served over a secure HTTPS link.
Consistently insecure content - files served via HTTP from HTTP websites - are not affected by this change; only HTTPS sites will lose the ability to provide files via HTTP to Chrome users.
In August, insecure executables and archives get blocked by default and other types of insecurely served files will prompt download warnings.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/07/google_chrome_blocking/
Related news
- Google Chrome gets a mind of its own for some security fixes (source)
- Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense (source)
- New Google Chrome feature will translate complex pages in real time (source)
- New Octo Android malware version impersonates NordVPN, Google Chrome (source)
- Google fixes ninth Chrome zero-day exploited in attacks this year (source)
- Google fixes ninth Chrome zero-day tagged as exploited this year (source)
- Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild (source)
- Google tags a tenth Chrome zero-day as exploited this year (source)
- Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation (source)
- Google increases Chrome bug bounty rewards up to $250,000 (source)