Browser Watch: Google Chrome to Block HTTP Downloads

Starting mid-2020, you won’t be able to download certain files on Chrome — here’s why

Time after time, we’ve witnessed browser giants making security-related decisions that have a significant impact on end-users, taking the web in a more secure direction. This time it’s Google, who has announced a plan to block HTTP downloads in Google Chrome, the most popular browser in the world.

Here’s what Google is changing, and why it’s a good thing for the web.

Let’s hash it out.

Why Block HTTP Downloads?

As we know, Google
Chrome and other major browsers show a “Not Secure” warning when you
visit a non-HTTPS website. This way, everyday users are informed about the
insecure connection so that they (hopefully) don’t exchange any critical
information with that website. This has played a pivotal role to drive user
awareness and HTTPS adoption.

However, that’s not
enough.

What if there’s a website that has an SSL certificate installed on it, but is quietly serving their file downloads via HTTP? What if hackers use this opening to inject malware into your system? It’s certainly a possibility!  In technical terms, such a mixture of HTTP content on an HTTPS website is referred to as “mixed content.” And with a “mixed download”, most users could easily fall for it as there’s no indication to notify users when the download link is HTTP. It’s definitely a hole in HTTPS security, and Google has decided to fill it by blocking HTTP downloads from HTTPS websites.

What Is Going to Be Blocked?

According to Google’s announced plan, Chrome 83 (to be released in June 2020) will begin blocking “the file types that pose the most risk to users.” These file types include executable files such as .exe and .apk. In subsequent Chrome releases, Google will include other file types and, ultimately, block all file types in Chrome 86, which is to be released in October 2020. So, after October 2020 (if you update Chrome), you won’t be able to download any file that is being served over HTTP if you click the download link from an HTTPS URL.

Note that if a website
uses HTTP, users can still download HTTP files. This update targets HTTPS sites
that use HTTP download URLs, because the browser is showing the site to be
secure but the download actually isn’t secure.

Google’s Six-Phased Approach to
Blocking

Although the blocking
process will be initiated with the release of Chrome 83 (to be released in June
2020), Google first wants to educate users and also give time for website
owners to remove mixed content from their websites. That’s why Chrome 81 (to be
released in March 2020) will provide a console warning message about all mixed
content downloads.

This process, which
begins in March, has been divided into six phases by Google. Here’s the outline
is given by Google for desktop platforms (Windows, macOS, Chrome OS, and Linux):

  • Chrome 81 (to be released in March 2020) — Chrome will print a console message to warn webmasters
    about all mixed content downloads.
  • Chrome 82 (to be released in April 2020) — Chrome will start warning users about mixed content
    downloads of executables (.exe, .apk, etc.) and print a console warning for all
    other types of files.
  • Chrome 83 (to be released in June 2020) — This is when the blocking phase will begin. Chrome
    will begin blocking mixed content executables. Also, it’ll warn users on mixed
    content archives (.zip, .iso, etc.). Console warning messages for all other
    types of files will continue.
  • Chrome 84 (to be released in August 2020) — Chrome will expand its blocklist to archives
    and disk images. On other mixed content file types such as .pdf and .docx files,
    Chrome will display a warning to the users. For images, audio, and video files,
    console warnings will continue.
  • Chrome 85 (to be released in September 2020) — Chrome will block all files except images,
    audio, and video files. A warning message will be shown to users before
    downloading these files. 
  • Chrome 86 (to be released in October 2020) — Chrome will block all content being served
    on non-secure HTTP when you click the download link via an HTTPS website. In
    other words, Chrome will block all mixed content downloads.

For mobile phones
(Android and iOS), Chrome will delay the rollout by one release. This means
that it’ll start showing warnings in Chrome 83, instead of Chrome 82.

Does Your Website Have Mixed Content?

This Google Chrome
update will not only force hackers to rethink their strategy but some
legitimate websites, too, will have to take a new look at their website. Many website
administrators might not even be aware of what mixed content they have on their
website. Well, we’re here to help you out.

To check mixed
content/insecure links on your website, you can go to our “Why No Padlock?” tool and get all mixed content links at your
fingertips. Once you know what mixed content you have on your site, you can
migrate it to HTTPS to secure your website. Check out our blog post How
to Find and Fix Mixed Content Warnings on HTTPS Sites
for tips on how to
switch content to fully HTTPS.

Screenshot of our “Why No Padlock?” tool.

Final Word

Although Google has put in extensive efforts to get insecure websites to switch to HTTPS and to raise user awareness regarding HTTPS, I always felt that mixed content was a dimension that needed to be addressed. Google has now come down on mixed content downloads, and this will surely mark a milestone in enhancing privacy and security on the internet. We hope and expect other browsers to follow suit to protect user privacy and security.

Certificate Management Checklist

Manage Digital Certificates like a Boss

14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.


*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Jay Thakkar. Read the original post at: https://www.thesslstore.com/blog/browser-watch-google-chrome-to-block-http-downloads/