Chrome may block some high-risk downloads soon
Google plans to integrate new functionality in the company's Chrome web browser to "drive down non-secure downloads" to reduce the impact that malicious downloads have on Chrome users.
The company plans to address HTTP downloads that originate on HTTPS sites specifically.
While a site may use HTTPS, linked downloads may still use HTTP and not HTTPS. Internet users won't know about that unless they check the link somehow, e.g. by checking the source code or using the browser's developer tools (which most probably won't do).
Affected by the change are certain high-risk file types that malware authors use predominantly to spread malware. Google lists the following file types specifically:
- exe (Windows)
- dmg (Mac OS X)
- crx (Chrome extensions)
- zip, gzip, bzip, tar, rar, and 7z (archive formats)
Chrome would use content-type headers or mime-type sniffing to determine the file type of the download.
Google considers blocking files that match high-risk file types if the downloads are started on a HTTPS site but use HTTP for the download and not HTTPS. High-risk downloads won't be blocked currently if the downloads are linked from HTTP pages because users are already informed that the site they are on is not secure in that case.
Google has yet to specify plans on how it plans to integrate the feature in the Chrome browser. It is unclear if users are notified about the blocking of the download by the browser and whether users may bypass the block to download the file regardless.
The team that is responsible for integration in the Chrome browser will focus on desktop versions of Google Chrome as Chrome's Android version already supports protective features against malicious apk files.
Google appears interested in collaboration with other browser makers. A Mozilla spokesperson told ZDnet that it is interested in "exploring these ideas further" and that the "general idea aligns with the steps" that it has taken previously to protect users from "insecurely delivered content".
Mozilla implemented several protections in previous versions of Firefox already; the organization blocks insecure content from being loaded on HTTPS sites since Firefox 23 for instance.
Now You: Do you check download links before you click on them?Advertisement