Chrome may block some high-risk downloads soon - gHacks Tech News

ADVERTISEMENT

Chrome may block some high-risk downloads soon

Google plans to integrate new functionality in the company's Chrome web browser to "drive down non-secure downloads" to reduce the impact that malicious downloads have on Chrome users.

The company plans to address HTTP downloads that originate on HTTPS sites specifically.

While a site may use HTTPS, linked downloads may still use HTTP and not HTTPS. Internet users won't know about that unless they check the link somehow, e.g. by checking the source code or using the browser's developer tools (which most probably won't do).

not secure website
Nirsoft runs a HTTP and HTTPS site side by side.

Affected by the change are certain high-risk file types that malware authors use predominantly to spread malware. Google lists the following file types specifically:

  • exe (Windows)
  • dmg (Mac OS X)
  • crx (Chrome extensions)
  • zip, gzip, bzip, tar, rar, and 7z (archive formats)

Chrome would use content-type headers or mime-type sniffing to determine the file type of the download.

Google considers blocking files that match high-risk file types if the downloads are started on a HTTPS site but use HTTP for the download and not HTTPS. High-risk downloads won't be blocked currently if the downloads are linked from HTTP pages because users are already informed that the site they are on is not secure in that case.

Google has yet to specify plans on how it plans to integrate the feature in the Chrome browser. It is unclear if users are notified about the blocking of the download by the browser and whether users may bypass the block to download the file regardless.

The team that is responsible for integration in the Chrome browser will focus on desktop versions of Google Chrome as Chrome's Android version already supports protective features against malicious apk files.

Google appears interested in collaboration with other browser makers. A Mozilla spokesperson told ZDnet that it is interested in "exploring these ideas further" and that the "general idea aligns with the steps" that it has taken previously to protect users from "insecurely delivered content".

Mozilla implemented several protections in previous versions of Firefox already; the organization blocks insecure content from being loaded on HTTPS sites since Firefox 23 for instance.

Now You: Do you check download links before you click on them?

Summary
Chrome may block some high-risk downloads soon
Article Name
Chrome may block some high-risk downloads soon
Description
Google plans to integrate new functionality in the company's Chrome web browser to "drive down non-secure downloads" to reduce the impact that malicious downloads have on Chrome users.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: »

Comments

  1. Julius said on April 11, 2019 at 3:29 pm
    Reply

    It’s interesting that you specifically use Nirsoft as an example because I have noticed that Windows Defender in particular quite aggressively blocks many applications from the site.

    I have used his applications for many years and know they are safe but I also know that there are unsavory characters out there who abuse his software and add it to malware payloads.
    https://www.us-cert.gov/ncas/alerts/TA18-201A

    In general, I think it is a good idea if Google wants to help prevent malicious payloads but it will be interesting to see how they accomplish this without users being cut off from some very good software out there.

    1. John Fenderson said on April 11, 2019 at 6:12 pm
      Reply

      @Julius: “it will be interesting to see how they accomplish this without users being cut off from some very good software out there.”

      I think that it’s worth mentioning that if you have a download link, you don’t need to use a browser at all to do the download. There are many download tools independent of browsers that will do the job.

  2. stefann said on April 11, 2019 at 4:20 pm
    Reply

    Tell me when Google will block the download of Google Chrome !

    1. Anonymous said on April 11, 2019 at 11:48 pm
      Reply

      That’s anti-competitive practice bu that’s probably your point. In this case Chrome blocking HTTP downloads is not anti-competitive, it is designed to reduce the chances you’ll get download hacked program.

  3. Allwynd said on April 11, 2019 at 4:26 pm
    Reply

    If this causes me trouble, I may have to switch to Edge or Opera.

    1. Anonymous said on April 12, 2019 at 3:57 am
      Reply

      Why not use an un-Googled version of Chrome, or Firefox? Edge and Opera are just as bad as Chrome.

      1. Allwynd said on April 12, 2019 at 9:42 am
        Reply

        @Anonymous,

        un-Googled Chromium doesn’t auto update and last time I checked, the versions were really outdated, I can’t risk having broken websites or whatever.

        Firefox is just slow, bloated and clunky, it never performs as well as Chrome-based browsers for me, also many websites are broken in Firefox, because the web developers only focus on supporting chrome. It’s only a matter of time until Mozilla ends up in the same spot as Opera where they had to abandon the Presto engine, because too many websites were broken in it. Expect Firefox powered by Blink in a couple of years.

        Also with the change to Quantum, Firefox has become like a Chrome clone – with customization options reduced, deprecation of support for XUL addons, it really stopped being the once powerful and amazing Firefox so I see no reason to torture myself with that joke and just use some Chrome-based browser instead.

      2. Coriy said on April 12, 2019 at 3:37 pm
        Reply

        I just checked chromium.woolyss.com and the latest ungoogled chromium isn’t that far behind. My chromebook is using 73.0.3683.88 while the most recent ungoogled is 73.0.3683.86 from March 27th. It’s not that far behind.
        Yes, you have to download, unpack and install manually, but I’m not sure that’s too hard a price to pay.

      3. Allwynd said on April 13, 2019 at 7:28 pm
        Reply

        @Coriy,

        You are correct. Last time I checked, which was a few months ago, the latest version was below 70, something like 68 or something, that’s why I didn’t bother with it.

        I also use the Sync feature, which doesn’t seem to work in Ungoogled Chromium, so I can’t really make a full use of it. I also discovered some other discrepancies that made it tedious to use.

        The official Chrome may have some “unwanted” features here and there, mainly people being concerned with tracking and whatnot, but it simply works, well, if they start blocking downloads, then it won’t work anymore.

        The other browser like Ungoogled Chromium is Firefox – it still struggles to load some websites as fast as Chrome, like youtube.com or reddit.com and many websites don’t render correctly at all so I think using Firefox nowadays is a hinderance. Firefox was good before 2009 when they released Firefox 4.0. That’s when it became trash and hasn’t recovered since.

  4. Marcus Buttfikler said on April 11, 2019 at 4:51 pm
    Reply

    Hardware has caught up and the cost of performance of HTTPS vs HTTP is negligible with modern hardware. The upfront cost should no longer be a hurdle as you can get free SSL certificates. If your hosting provider does not support SSL certificates, consider dropping their ancient ass. HTTPS should be the defacto standard by now.

  5. John Fenderson said on April 11, 2019 at 6:10 pm
    Reply

    This sounds entirely reasonable. Good on Chrome!

    “Do you check download links before you click on them?”

    Always, always, always.

    1. SHA256 said on April 11, 2019 at 10:07 pm
      Reply

      I rarely check the link, rather check the hash and with virus total.

  6. Khai said on April 11, 2019 at 6:37 pm
    Reply

    is linked to the recent (for me) behaviour of chrome to mark ALL installers (all virus free and legitimate) as “potentially unsafe” and the options of “discard” and “keep” ..?

    and how do I turn this OFF?

    I did’nt ask for it, I don’t want it.

  7. Dave said on April 11, 2019 at 7:08 pm
    Reply

    Perhaps they should first focus on removing all the malware available to download from thier own servers first?

    I quit using chrome when they decided to tell me what extensions I could and could not use. Now they want to tell people what they can and cannot download?

    1. Anonymous said on April 11, 2019 at 11:58 pm
      Reply

      I’m no fan of the super-snooper (Google) but can see they want to increase safety for the masses who don’t understand the risks and would download anything from anywhere without a second thought.

  8. pHROZEN gHOST said on April 11, 2019 at 7:28 pm
    Reply

    One should never rely on just one web browser. Otherwise, eventually, that browser will become less than useful.

    Hopefully the authors of Google Chrome don’t go completely paranoid.

  9. ankurk91 said on April 11, 2019 at 7:45 pm
    Reply

    Hey Martin,

    I have been following ghacks since my collage days.
    I am glad to see old look and feel on website again.

    Thanks for awesome content.

  10. Bobby Phoenix said on April 11, 2019 at 7:48 pm
    Reply

    “Now You: Do you check download links before you click on them?”

    Yes. Every single time. I’ll scan the site URL, download link, and then upload the downloaded file, all to VirusTotal. Then to top it off I’ll still scan it with Windows Defender before clicking on it to launch/install.

  11. Yuliya said on April 12, 2019 at 12:01 am
    Reply

    I have a feeling this will break a few things and annoy some people more than actually being of any help. If you take a look at Linux Mint’s website, many of the download mirrors are HTTP
    imgur.com/xaC3eqt

  12. Barry said on April 12, 2019 at 12:24 am
    Reply

    I had a feeling that authors of google chrome would start dictating what to download and what not to, time to migrate to other browsers, such as Vivaldi, brave and pale moon. Christian content hateful. Independent thought racist, hateful and violent.

    Opera is an eyesore. Firefox freezes on cue, even after when I disabled the extensions, followed and jump through every hoop, to remedy the issue.

    I recommend a minimum of two browsers, I have three installed. When a main browser act twitchy, time to move to another.

  13. ULBoom said on April 12, 2019 at 2:21 am
    Reply

    Unless there’s clear evidence this behavior has caused numerous malicious downloads, I think google needs to find something to do.

    Chrome’s a user data collection system, at least that’s what google calls it, so it’s hard to believe they don’t spend a lot of time coming up with distractions masquerading as security to preserve chrome’s facade as just a browser.

  14. Shane said on April 12, 2019 at 3:28 am
    Reply

    They want sheeple to feel comfortable with asking Google’s permission in all aspects of their lives.
    Of course the ulterior motive is tracking the sites you visit and the file you download.
    Like who also uses ‘safe’ browsing? Again its about identifying you, monetizing and serving ads.

    One of the most unsafe places is porn sites. Yet Google is everywhere there.
    Are they gathering dirt to control America’s Social Credit System?

    Its ain’t all bad though…China’s Social Credit System is throwing people in jail for using Facebook /s

  15. AnorKnee Merce said on April 12, 2019 at 8:32 am
    Reply

    Shouldn’t it be the computer users’ responsibility to not download virus-infected files, eg by not downloading pirated music and movies from piracy websites and pre-scanning the download files with an AV program, as per the legal principle of Caveat Emptor.?
    ……. Google may have an ulterior motive or stupid reason for doing this, like how Google wanted to block Adblocker extensions from Chrome.

    Doesn’t downloads from https link slow down the download considerably, compared to an unencrypted http link.? Doesn’t disk encryption slow down the computer considerably.?
    ……. Even if some users think this is a good thing from Google, it should not be the default setting in Chrome.

  16. John C. said on April 12, 2019 at 10:02 am
    Reply

    And exactly why should anybody trust Google to do a fair job of deciding what’s a “high-risk download” and what isn’t? More muzzling of the internet is all it is.

  17. Cigologic said on April 13, 2019 at 1:09 am
    Reply

    A prominent example of HTTP downloads originating from a HTTPS site is Microsoft’s Windows Update/ Patch/ Hotfix Catalog: https://www.catalog.update.microsoft.com

    There, all the linked downloads are served over HTTP, namely: http://download.windowsupdate.com/d/msdownload/update/software/secu/XXXXX.xxx

    And if user manually changes the HTTP to HTTPS, the downloads will fail.

    Perhaps Microsoft is smirking away in lala land, “Who asked you to change it to HTTPS ? We already said HTTP is ‘secu’ — this is literally written in the downloads’ URLs.”

    So will Chromium adopt Google Chrome’s proposed plan to block HTTP-from-HTTPS downloads ? If yes, I suppose Microsoft Chromium-Edge will follow suit.

    And this might not be a bad thing, since Microsoft Update Catalog downloads will all break — & Microsoft would have to upgrade its “secu” HTTP downloads, instead of relying on mere words for protection.

  18. RPWheeler said on April 13, 2019 at 1:36 pm
    Reply

    2) I do not check the links, I check downloaded archives if I suspect them.
    1) I’m already very tired with Google Chrome content warnings, so I want to switch to other browser having none of them.
    0) I’d like to see “Bug off!” button on every feature which may want to prevent me doing what I want to do.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.