Google Chrome: block insecure downloads option in development
Google is working on introducing a new security option in its Chrome web browser that will block insecure downloads when enabled.
Most of the Web has migrated to HTTPS, but there is still a sizeable number of sites and services that use HTTP or support it. HTTP is considered insecure, and browsers like Chrome display warnings when sites or apps are loaded that use HTTP.
Several browsers have introduced functionality to try HTTPS when they encounter HTTP connections. What started as an extension by the EFF, is now being integrated into more and more browsers.
Google calls it "always use secure connections". The option, which is disabled by default, is found under Settings > Privacy and Security > Security. Mozilla calls it HTTPS-Only Mode and many other browsers support similar functionality.
Chrome blocks mixed content downloads by default already, for example, when a download is served via HTTP on a HTTPS site.
9to5Google discovered a new commit that suggests that Google is working on extending the functionality. Google plans to add support for blocking insecure downloads to the feature. When enabled, this would block any download that originates from a HTTP source, even if it is just used as a redirect in a chain of connections.
Google highlights all three scenarios in which the new feature would block downloads on Google Source:
- The page with the download link is insecure.
- The final URL that is used is insecure.
- Any redirect is insecure.
The feature will launch as an experimental flag in the Chrome browser before it is added to Chrome's "always use secure connections" feature. Chrome users will see a warning in the browser if insecure download blocking is triggered in the web browser.
The new use case applies to the first scenario only, because Google decided to give mixed-content behavior priority over it. This means, that users will see a warning page if the download originates from a HTTP source, but no warning if the two other scenarios apply.
Chrome users need to enable the flag, once it is launched in Chrome, or the always use HTTPS security feature, for this to work. Options to bypass the warning are still provided. The warning is more of a reminder for users that a download is served via an insecure connection.
The flag is not yet available in Chrome, as the feature is still in development.
Now You: do you use always use HTTPS modes in your browser?