31

Google Chrome Puts Measures to Protect Users from Insecure Downloads

Jordan
Major
2 years ago
3 mins read

On February 6, 2020, Google announced that Chrome would gradually certify that secure (HTTPS) pages only download safe files. The platform started blocking “mixed content downloads” (non-HTTPS downloads started on secure pages) using a series of steps that it outlined.

The cybersecurity move follows a plan highlighted in October 2019 to begin blocking all the insecure sub-resources on secure pages. Insecurely-downloaded files present major risks to users’ privacy and security.

For example, insecurely-downloaded programs can be substituted with malware by attackers. Moreover, the eavesdroppers can read the unsuspecting users’ insecurely-downloaded bank statements.

To solve these challenges, Google plans to eliminate support for insecure downloads in Chrome. The first step is to remove the insecure downloads started on secure pages since these cases affect unsuspecting Chrome users whose privacy and security are at risk.

Chrome will start warning on and later blocking the mixed content downloads beginning with Chrome 82 that will be released in April 2020. All the files that pose the most risks will be targeted first, and the subsequent releases will cover more file types

Image by Joe DeBlasio, Chrome security team.

The continuous rollout is set up to neutralize the worst risks rapidly, enabling developers to update sites and reduce the number of warnings that Chrome users have to see.

Google plans to roll out restrictions on mixed content downloads on desktop platforms first, which include Chrome OS, Windows, Linux, and macOS.

Delays

Chrome announced that it would delay the rollout for iOS and Android users by one release. They will start the warnings in Chrome 83. Mobile platforms have enhanced native protections against malicious files.

Hence, the delay will enable developers to prepare adequately while updating their sites before focusing on mobile users.

Developers aim to ensure that the users do not see any download warnings. They will achieve that by ensuring downloads only use HTTPS.

In the Chrome Canary or Chrome 81, once released, developers can activate a warning on all the mixed content downloads for testing by activating the “Treat risky downloads over insecure connections as active mixed content” flag.

Education and enterprise customers can disable the block on a per-site basis via the existing InsecureContentAllowedForUrls policy. They will do so by adding a pattern that matches the page requesting the download.

It is expected that a further restriction of insecure downloads in Chrome will be implemented in the future. Developers should migrate to HTTPS entirely to avoid any future restrictions and guarantee that they protect their users entirely.

Latest News

Join us on Twitter or Telegram

Or follow us on Flipboard Flipboard

Like the article? Vote up or share on your social media

Recommended content

Weekly Finance Digest

By subscribing you agree with Finbold T&C’s

Jordan Major
Author

Jordan is an investor and market analyst. He's passionate about stocks, ETFs, blockchain, and digital assets. At Finbold.com, he delves into the technicalities to obtain future trends for new market traders and gives insights into user-friendly platforms for beginners.

AD