Google Chrome will block all "insecure downloads" in the near future
Google plans to block all insecure downloads in coming versions of the company's Google Chrome browser. Insecure downloads, according to Google, are downloads that originate from HTTPS websites that are not served via HTTPS. The decision won't affect sites that are still accessed via HTTP.
The change is the next step in Google's plan to block "all insecure subresources on secure pages" which it announced last year. Back then, Google declared that mixed content, another term for insecure content on secure websites, "threatens the privacy and security of users" as attackers could modify the insecure content, e.g. by tampering with a mixed image of a stock chart to mislead investors" or injecting "a tracking cookie into a mixed resource load".
Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
Google will introduce the change gradually starting in Chrome 81 on the desktop. First, the browser will only display warnings in the Developer console to get the attention of developers working on sites with insecure downloads.
In Chrome 82, a warning will be displayed if executable files are downloaded via HTTP but the blocking is not enforced at this point. Executable files such as .exe or .apk fall into that category.
Starting in Chrome 83, the browser will block insecure executable downloads outright and display a warning if archives are downloaded via HTTP.
Then in Chrome 84, insecure executable downloads and archive downloads are blocked, and a warning is displayed for "all other non-safe types" such as pdf or docs.
In Chrome 85, these non-safe types are blocked as well, and warnings are displayed for media and text files.
Finally, in Chrome 86, all insecure downloads are blocked in the browser.
Google will delay the roll-out on Android and iOS versions of Chrome for one release which means that warnings for insecure executable file downloads are displayed in Chrome 83 on that systems and not in Chrome 82.
Administrators may use the flag chrome://flags/#treat-unsafe-downloads-as-active-content to disallow downloads of unsafe files right away when Chrome 81 gets released (as well as in development versions of the web browser).
All it takes is to enable the flag and restart the browser to do so.
Enterprise and education customers may override the blocking on a per-site basis by using the InsecureContentAllowedForUrls policy.
Now You: What is your take on the change?
>sorry you can’t download youtube video
>this mp4 file is “unsafe”
Another Google plan to dictate what content can be hosted! Stop being evil google!
Yes they are going to block your malware evil malware providers. You are so done!
Copy doownload URL, paste it into a new tab. Done. Problem solved.
Eh, slight inconvenience, at most.
Strange thing is that I start to be convinced that Google is not trying to advise me with notifications like “this download could this and that to your system” but directly stated, that they know better than me what’s good for me.
So is it strange that the only conclusion is that we are on the way to be only allowed to download only google approved products (Read were there making money with) ?
Blocking non encrypted png or mp3 downloads has litttle to do with the security of the download itself, it’s just part of the Google campaign to aggressively enforce https use everywhere on the web. Google is less concerned about our security than they are about them being the only ones able to exploit commercially the data they have access to, and the government serving their interests and whose interests they serve having an advantage on others in worldwide mass surveillance on all internet data, because they have the main internet service endpoints under their jurisdictions, together with the main man-in-the-middle reverse proxies (Cloudflare monopoly), the main certificate authorities, the main operating systems, etc. which means that encryption is irrelevant for them if they really want to know something.
We could think of this as Google having their interests aligned with ours in restricting those who can spy on us to a smaller set, and often it will be true. But consider that when an imperialist power can intercept all the communications of a country they are invading or are organizing a coup in while the more legitimate government of this country can’t see anything, it can sometimes benefit the oppressors more than the people.
Good thing I downgraded and blocked updates after they removed a bunch of stuff from the right click menu.
Fucking hell, I wish I could make my own browser that focused on performance, customization, and retaining features.
I can’t be the only person not paranoid about security. There’s nothing someone could get from hacking me. Only a keylogger could really do anything.
I don’t save passwords, credit cards, or anything like that. I don’t have an active antivirus but my weekly scan never picks up more than a couple small things.
I don’t know what the fuck people do to get in so much trouble online.
I think this is a good move which should be applied to all browsers. This is in fact dealing with mixed content but extended to downloads.
I don’t see why an https site would propose to download files from an http only address.
In the same way, I cannot accept mixed content even be it passive (such as images). If the site is secured then it has to assume it till the last byte.
Firefox natively blocks active mixed content : security.mixed_content.block_active_content is true
Firefox natively blocks not passive mixed content : security.mixed_content.block_display_content is false.
I set security.mixed_content.block_display_content to true. Issue on some sites : their problem.
Some sites handle well the fact they are accessible securely yet provide http only links, for instance shoutcast.com : it is accessible via https but also via http. https is fine for the site’s homepage but on its streaming radio page, directory.shoutcast.com, either you open it with https but several radio streams called on http channels won’t make it IF you’ve set security.mixed_content.block_display_content to true (as i did), either you open it with http only and no issues ever whatever the security.mixed_content.block_display_content value.
A counter-example is radio.garden which tolerates no http : https only, great?
Except that if you’ve set security.mixed_content.block_display_content to true you’ll miss many streams. So I consider radio.garden’s security policy as half-baked. It should take example on shoutCAST.
Many sites are now accessible via https given it’s becoming imperative mainly because of Google’s zeal (and I won’t criticize that very point), but those same sites for some if not for many seem to have operated the switch in a hurry without considering implications. I suggest they start moving, professionally.
Of course Google has to add some standard text about user privacy and security turning yet another change into parody. All things Google are related to ad revenue, including how well their user ad data collector software, aka Chrome, works.
There’s still a lot of mixed content around regardless of all the “studies” claiming it’s as rare as three legged dogs. HTTP downloads from HTTP sites, not being mixed are OK but HTTP from HTTPS is automatically assumed to be thermonuclear dangerous?
If a site has a HTTP version and many do, try Tor for your download.
Good decision.
FF should also adopt it.
Nah, keep you fascis$ browser to yourself. I don’t want a browser to baby sit me.
> What is your take on the change?
This is far, far too heavy-handed. Warning is fine and appropriate. Blocking is not.
@John F
“This is far, far too heavy-handed. Warning is fine and appropriate. Blocking is not.”
Exactly, Don’t heed warning? That is on the user….a flat out block is controlling the user for the benefit of google and their buds.
I don’t get what all the fuss in the comments is about, it is not like they will outright be blocking downloads, only downloads from secure sites that are served insecurity, for sites that aren’t poorly implemented, nothing will change.
youre wrong.
its the a basic underlying attitude thats important. trying to remove responsibility from users and managing everything for them just creates dumber users on the long run. see what softwashing has done to ppl in the states.
This might actually be Microsoft’s sites given their recent track records.
Oh, wait. That might actually be a good thing!!!!!!
Wether they are served from http or https shouldnt matter, its the integrity of the file (md5/sha hashes and similar). Not all websites should be forced to require an ssl certificate, especially as they introduce in the download process a chain of trust that can be revoked (worse than apple’s notarization process).
This change will result in developpers releasing minimalist ‘launcher’ apps that can directly download, install and update whatever they want, free from the interference of browser makers.
@fuj1n: “only downloads from secure sites that are served insecurity”
That’s what the fuss is about. This is stripping users of the choice of downloading from such sites. Doing that is not a legitimate role for a web browser. Warn the user? Sure! Prevent users from deciding for themselves what amount of risk they’re willing to tolerate? That’s a strong “nope”.
This WILL cause issues for legitimate downloads.
I agree with you. I tried downloading a game made with Blender called Yo Frankie, which I know is legit and it was blocked. PITA to download using chrome too!
Wouldn’t it be a better solution to require all downloads of executable files have a SHA 256 or 512 Hash posted and or a PGP signature? And this implemented by a security standard hashed out by the appropriate sanctioning bodies? All content on a page whether http or https hashed and checked server side before going live? Is it that difficult to write a script to do this? Too resource itensive/excess server load? Someone that is more knowledgable please expand on this.
Having it checked server side is moot if the server is run by a malicious entity, that’s after you consider the time taken to hash large files. All this complexity to further infantilize end users and take away control from them. How about ‘use your brains when surfing the net and take responsibility for what you download’?
The existing setup works fine for those who really care. Download the file over HTTP (caching can be implemented for large files with HTTP unlike HTTPS, certificates cost money and there’s no use depending on centralized ‘free’ services like Lets Encrypt which could very well be bought out or disappear) and verify the hash after that. Like I said earlier, neither hashing nor HTTPS are a magic bullet against hostile server operators. The hash of a malware file will verify perfectly fine, and getting an HTTPS certifcate is trivial for a malicious site operator.
Another step of Google towards killing user choice, I have no doubt that this feature will be use to prevent people from download torrents and pirated software.
Another idiotic comment. First of all you don’t download torrents with a browser, you use torrent clients for downloading them. If you mean the old torrent files which link to the real torrent, I have news for you. Magnet links is all you need, no need to download anything. Apart from that, since when Google is against piracy? In reality they allow it until they get a DMCA and to be obligated by the law to remove piracy links and illegal uploads. They could do much more against piracy but these asshats don’t care about piracy because it doesn’t affect their business model.
How?
I’m not a Chrome fan, I’m just asking.
For me as a non-techie, what it looks like Google is doing here is banning http resources and downloads from loading in their Chrome browser via https sites.
If you’re using torrent software (i.e. not your browser), this shouldn’t impact you at all. If you are doing some sort of browser based piracy, and your favorite pirate site can acquire a https certificate for it’s main site, it should be able to acquire one for the content, too, right? If it can’t acquire one at all, it’s on http and this change doesn’t effect it, because it only deals with *mixed* http/https content, all one way or other should stay the same (Although, fair warning, if you’re using http and not https, you’re basically doing your piracy out in the open and may get a letter from the copyright holders- or not.).
Granted, I could see how pirate sites might have trouble acquiring https certificates, which means mainstream browsers moving to showing http sites as insecure might have effected some piracy sites (Although so far, at least in Firefox, you can still view http sites as before, there is just a red slash through the box to the left of the URL bar to show that it’s insecure- so it’s doesn’t actually block you from old sites [In general, not piracy specific] that haven’t transferred to https], it just uses a small graphic to warn you off. Not sure about Chrome.), but that’s not this specific change. That’s something else you can be mad with Chrome about. ;)
Google is a horrid company that I don’t trust and never recommend, but I partially agree with them on this particular decision.
It’s concerning how many HTTPS sites still deliver important content via HTTP. Government sites are still the #1 offender in many regions.
What always surprises me is how many software developers have HTTPS sites, but deliver their executables via HTTP.
Also several filter lists (often used by popular tools like AdGuard and uBlock Origin) still deliver their content via HTTP. A simple injection of a modified filter list can wreak havoc. The changes enforced by the Google Overlords will not help with this at all.
Google trying to be The Internet Rulers, nothing new here.
Still waiting for the “promised” but never delivered, general roll out of DNS-over-HTTPS, which was promised on Chrome 78 (but never delivered).
Thank God Firefox is my primary browser, & Google is my backup browser (used pretty much only for Reddit, which I rarely visit. I’m not installing an extension [Reddit Enhancement Suite] for one website & I’m not setting up an account for a website that engages in censorship).
@notanon: FF is only slightly less nefarious.
Man. Good thing I moved to Edgium….
After deciding what search they censor or not, hiding of complete URLS and now deciding what file is safe for me?
Thanks, but no thanks!
still, the user again gets dumbed down. this way, youll never educate mature users. look at the States what softwashing in aspects of everydays life has done to the people.
they get dumb(er). its a direct conclusion from how our brain works. it adapts. if its not needed it reduce its power – you get the idea of the downspiral, dont you?
if you push ppl and encurage them to use their brain, ppl get smarter – a typical darwin effect.
i dont think we need google to tell us whats safe or not. what we need are educated users.
dont be sheep , be sheperd.
See below. You should move to Firefox instead
Firefox won’t even exist if they didn’t sell users’ data to Google for funding. So using Firefox isn’t much better.
@Mountainking,
Since Edge is a fork of Chromium, what makes you think that Edge and all other Chromium forks like Opera, Vivaldi, Brave, etc. will not get affected by this too?
The Manifest V3, that Chrome plans to implement in the future, which will limit what ad-blocking extensions can block and possibly allow ads to come through is said that will affect all Chromium forks as it’s deep in the code. If that’s true, then Edge will suffer from it as well.
Only time will tell if these two things will affect Chromium forks.
Big companies can still code their stuff. Also I use adguard :)
This is just another step in Google’s plan to completely control the internet. Ultimately, they will be blocking you from downloading any file that threatens either their, or any of their buddies’ bottom lines. Mark my words. And this is yet another reason I would never touch Google Chrome with a barge pole. Never used it, NEVER will!
When, oh when, will Google finally be broken up and-or shut down for being the corrupt, evil jerks that they are.
I agree. This is ridiculous. I think Google should be put out of business for their lack of ethics!
This can only be seen as a good thing.
They’re putting sponsored results inside Google Maps now too. Google cannot be trusted.
I don’t use Chrome either, but this change seems fine. Now, if ultimately they block you from downloading any file they don’t like, as you think they eventually will, that definitely *won’t* be fine, but that’s not what the article describes.
I’m worried about Chrome’s monopoly over the web, too (Which is even bigger if one considers Chromium and all the Chromium and Blink based browsers), and don’t recommend people use Chrome as their daily driver (Firefox for Windows and Firefox for Android are better on both platforms, and is based on it’s own Gecko engine, not Blink, and isn’t a Chromium spin-off or fork), but this specific change, as described in the article, sounds like a very small thing to improve safety that will impact very few sites that keep themselves updated.
Honestly, the only scenario I can think of off the top of my head where this may be widely problematical is https webforums that allow users to embed http images in their posts (Or vice-versa). Other than that, a site is either able to get an https certificate or it isn’t, and it’d display either way (Albeit with warnings if it’s http- but we already knew that, that part isn’t this change), it just needs to either put all of it’s resources on https if it has done it for the site overall, or make all it’s resources http if it’s site is still http (Although any site that can get an https certificate at this point really should).
Google seems to just be trying to make it so it’s clear whether a site is https or http, so if a user checks it and Chrome says it’s secure, it’s not insecure as they navigate around (Probably not thinking to check again), and if they say it’s insecure, it’s insecure (Though, of course, I’m describing insecure here as http rather than https, and it’s not like all http sites are malware or something, just as I’m describing https as secure, but it’s not secure in an absolute sense, of course).
@John: Chromium is open source.
Not in googles eyes ! Google mess with non google chrome browsers too ! Browser will be useless if user can do what he wants ! And who is Google to tell user what to do or not to do ! Judge jury & executer all in one ? Google blocks VPN user too ! Google isn’t your friend and don’t respect privacy rights what so ever ! In fact Google was the first who invades user privacy the others just follow !
Blocking dodgy downloads by default is fine as long as one can override the default as needed. Doing this puts 1 step in the way of getting a dodgy file.
Did you read the article & understood what is happening, or checked the title and proceeded to comment?
HTTP downloads on an HTTPS page will be blocked. HTTP on HTTP or HTTPS on HTTPS will work as expected.
I understood it but I’d prefer to make my own choices rather than have Google make them for me.