Chrome may block some high-risk downloads soon
Google plans to integrate new functionality in the company's Chrome web browser to "drive down non-secure downloads" to reduce the impact that malicious downloads have on Chrome users.
The company plans to address HTTP downloads that originate on HTTPS sites specifically.
While a site may use HTTPS, linked downloads may still use HTTP and not HTTPS. Internet users won't know about that unless they check the link somehow, e.g. by checking the source code or using the browser's developer tools (which most probably won't do).
Affected by the change are certain high-risk file types that malware authors use predominantly to spread malware. Google lists the following file types specifically:
- exe (Windows)
- dmg (Mac OS X)
- crx (Chrome extensions)
- zip, gzip, bzip, tar, rar, and 7z (archive formats)
Chrome would use content-type headers or mime-type sniffing to determine the file type of the download.
Google considers blocking files that match high-risk file types if the downloads are started on a HTTPS site but use HTTP for the download and not HTTPS. High-risk downloads won't be blocked currently if the downloads are linked from HTTP pages because users are already informed that the site they are on is not secure in that case.
Google has yet to specify plans on how it plans to integrate the feature in the Chrome browser. It is unclear if users are notified about the blocking of the download by the browser and whether users may bypass the block to download the file regardless.
The team that is responsible for integration in the Chrome browser will focus on desktop versions of Google Chrome as Chrome's Android version already supports protective features against malicious apk files.
Google appears interested in collaboration with other browser makers. A Mozilla spokesperson told ZDnet that it is interested in "exploring these ideas further" and that the "general idea aligns with the steps" that it has taken previously to protect users from "insecurely delivered content".
Mozilla implemented several protections in previous versions of Firefox already; the organization blocks insecure content from being loaded on HTTPS sites since Firefox 23 for instance.
Now You: Do you check download links before you click on them?
2) I do not check the links, I check downloaded archives if I suspect them.
1) I’m already very tired with Google Chrome content warnings, so I want to switch to other browser having none of them.
0) I’d like to see “Bug off!” button on every feature which may want to prevent me doing what I want to do.
A prominent example of HTTP downloads originating from a HTTPS site is Microsoft’s Windows Update/ Patch/ Hotfix Catalog: https://www.catalog.update.microsoft.com
There, all the linked downloads are served over HTTP, namely: http://download.windowsupdate.com/d/msdownload/update/software/secu/XXXXX.xxx
And if user manually changes the HTTP to HTTPS, the downloads will fail.
Perhaps Microsoft is smirking away in lala land, “Who asked you to change it to HTTPS ? We already said HTTP is ‘secu’ — this is literally written in the downloads’ URLs.”
So will Chromium adopt Google Chrome’s proposed plan to block HTTP-from-HTTPS downloads ? If yes, I suppose Microsoft Chromium-Edge will follow suit.
And this might not be a bad thing, since Microsoft Update Catalog downloads will all break — & Microsoft would have to upgrade its “secu” HTTP downloads, instead of relying on mere words for protection.
And exactly why should anybody trust Google to do a fair job of deciding what’s a “high-risk download” and what isn’t? More muzzling of the internet is all it is.
Shouldn’t it be the computer users’ responsibility to not download virus-infected files, eg by not downloading pirated music and movies from piracy websites and pre-scanning the download files with an AV program, as per the legal principle of Caveat Emptor.?
……. Google may have an ulterior motive or stupid reason for doing this, like how Google wanted to block Adblocker extensions from Chrome.
Doesn’t downloads from https link slow down the download considerably, compared to an unencrypted http link.? Doesn’t disk encryption slow down the computer considerably.?
……. Even if some users think this is a good thing from Google, it should not be the default setting in Chrome.
They want sheeple to feel comfortable with asking Google’s permission in all aspects of their lives.
Of course the ulterior motive is tracking the sites you visit and the file you download.
Like who also uses ‘safe’ browsing? Again its about identifying you, monetizing and serving ads.
One of the most unsafe places is porn sites. Yet Google is everywhere there.
Are they gathering dirt to control America’s Social Credit System?
Its ain’t all bad though…China’s Social Credit System is throwing people in jail for using Facebook /s
Unless there’s clear evidence this behavior has caused numerous malicious downloads, I think google needs to find something to do.
Chrome’s a user data collection system, at least that’s what google calls it, so it’s hard to believe they don’t spend a lot of time coming up with distractions masquerading as security to preserve chrome’s facade as just a browser.
I had a feeling that authors of google chrome would start dictating what to download and what not to, time to migrate to other browsers, such as Vivaldi, brave and pale moon. Christian content hateful. Independent thought racist, hateful and violent.
Opera is an eyesore. Firefox freezes on cue, even after when I disabled the extensions, followed and jump through every hoop, to remedy the issue.
I recommend a minimum of two browsers, I have three installed. When a main browser act twitchy, time to move to another.
I have a feeling this will break a few things and annoy some people more than actually being of any help. If you take a look at Linux Mint’s website, many of the download mirrors are HTTP
imgur.com/xaC3eqt
“Now You: Do you check download links before you click on them?”
Yes. Every single time. I’ll scan the site URL, download link, and then upload the downloaded file, all to VirusTotal. Then to top it off I’ll still scan it with Windows Defender before clicking on it to launch/install.
Hey Martin,
I have been following ghacks since my collage days.
I am glad to see old look and feel on website again.
Thanks for awesome content.
One should never rely on just one web browser. Otherwise, eventually, that browser will become less than useful.
Hopefully the authors of Google Chrome don’t go completely paranoid.
Perhaps they should first focus on removing all the malware available to download from thier own servers first?
I quit using chrome when they decided to tell me what extensions I could and could not use. Now they want to tell people what they can and cannot download?
I’m no fan of the super-snooper (Google) but can see they want to increase safety for the masses who don’t understand the risks and would download anything from anywhere without a second thought.
is linked to the recent (for me) behaviour of chrome to mark ALL installers (all virus free and legitimate) as “potentially unsafe” and the options of “discard” and “keep” ..?
and how do I turn this OFF?
I did’nt ask for it, I don’t want it.
This sounds entirely reasonable. Good on Chrome!
“Do you check download links before you click on them?”
Always, always, always.
I rarely check the link, rather check the hash and with virus total.
Hardware has caught up and the cost of performance of HTTPS vs HTTP is negligible with modern hardware. The upfront cost should no longer be a hurdle as you can get free SSL certificates. If your hosting provider does not support SSL certificates, consider dropping their ancient ass. HTTPS should be the defacto standard by now.
If this causes me trouble, I may have to switch to Edge or Opera.
Why not use an un-Googled version of Chrome, or Firefox? Edge and Opera are just as bad as Chrome.
@Anonymous,
un-Googled Chromium doesn’t auto update and last time I checked, the versions were really outdated, I can’t risk having broken websites or whatever.
Firefox is just slow, bloated and clunky, it never performs as well as Chrome-based browsers for me, also many websites are broken in Firefox, because the web developers only focus on supporting chrome. It’s only a matter of time until Mozilla ends up in the same spot as Opera where they had to abandon the Presto engine, because too many websites were broken in it. Expect Firefox powered by Blink in a couple of years.
Also with the change to Quantum, Firefox has become like a Chrome clone – with customization options reduced, deprecation of support for XUL addons, it really stopped being the once powerful and amazing Firefox so I see no reason to torture myself with that joke and just use some Chrome-based browser instead.
I just checked chromium.woolyss.com and the latest ungoogled chromium isn’t that far behind. My chromebook is using 73.0.3683.88 while the most recent ungoogled is 73.0.3683.86 from March 27th. It’s not that far behind.
Yes, you have to download, unpack and install manually, but I’m not sure that’s too hard a price to pay.
@Coriy,
You are correct. Last time I checked, which was a few months ago, the latest version was below 70, something like 68 or something, that’s why I didn’t bother with it.
I also use the Sync feature, which doesn’t seem to work in Ungoogled Chromium, so I can’t really make a full use of it. I also discovered some other discrepancies that made it tedious to use.
The official Chrome may have some “unwanted” features here and there, mainly people being concerned with tracking and whatnot, but it simply works, well, if they start blocking downloads, then it won’t work anymore.
The other browser like Ungoogled Chromium is Firefox – it still struggles to load some websites as fast as Chrome, like youtube.com or reddit.com and many websites don’t render correctly at all so I think using Firefox nowadays is a hinderance. Firefox was good before 2009 when they released Firefox 4.0. That’s when it became trash and hasn’t recovered since.
Tell me when Google will block the download of Google Chrome !
That’s anti-competitive practice bu that’s probably your point. In this case Chrome blocking HTTP downloads is not anti-competitive, it is designed to reduce the chances you’ll get download hacked program.
It’s interesting that you specifically use Nirsoft as an example because I have noticed that Windows Defender in particular quite aggressively blocks many applications from the site.
I have used his applications for many years and know they are safe but I also know that there are unsavory characters out there who abuse his software and add it to malware payloads.
https://www.us-cert.gov/ncas/alerts/TA18-201A
In general, I think it is a good idea if Google wants to help prevent malicious payloads but it will be interesting to see how they accomplish this without users being cut off from some very good software out there.
@Julius: “it will be interesting to see how they accomplish this without users being cut off from some very good software out there.”
I think that it’s worth mentioning that if you have a download link, you don’t need to use a browser at all to do the download. There are many download tools independent of browsers that will do the job.