Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this

'I'm sorry, Dave, I'm afraid I can't fetch that document'

Continuing to drop flame retardant on the dumpster fire that is web security, Google on Thursday said it will soon prevent Chrome users from downloading files over insecure, plain old, unencrypted HTTP.

"All insecure downloads are bad for privacy and security," declared Joe DeBlasio, who works on the Chrome security team, in a Twitter thread. "An eavesdropper can see what a user is downloading, or an active attacker can swap the download for a malicious one."

"We hope to stop all unsafe downloads, but Chrome doesn't currently tell users on HTTPS pages that their downloads are insecure. That's weird! Users expect that what they do on secure pages to be... well… secure! So we're blocking these downloads first."

Specifically, Google is going after mixed content, resources like files, images, and scripts that get loaded over insecure HTTP connections from a webpage that has been served over a secure HTTPS link.

Consistently insecure content – files served via HTTP from HTTP websites – are not affected by this change (users will still see the "Not Secure" omnibox badge in that case); only HTTPS sites will lose the ability to provide files via HTTP to Chrome users.

In April, 2020, when Chrome 82 arrives, Chrome users will see a warning when trying to download executable files (e.g. .exe, .apx) served via HTTP. In Chrome 83, due in June, users will be prevented from downloading such files at all. The warning notice meanwhile will shift to the attempted download of insecure archive files (e.g. .zip, .iso).

Come Chrome 84, in August, insecure executables and archives get blocked by default and other types of insecurely served files will prompt download warnings (e.g. .pdf, .docx).

And by Chrome 85, out in September, the mixed content warning will shift to images, audio, video, and text (e.g. .png, .mp3), with blocking becoming the default behavior for the other files. With Chrome 86, in October 2020, the warnings will be gone and Chrome will refuse to download any mixed content.

That's the rollout schedule for Chrome for desktop operating systems (Linux, macOS, and Windows). For Android and iOS, the schedule will be delayed by one release cycle.

Woman with red roses and coffin at funeral in church

RIP FTP? File Transfer Protocol switched off by default in Chrome 80


When Google initially discussed its plans to have Chrome intervene to save people from their disinterest in online security, the company said that "users will be able to enable a setting to opt out of mixed content blocking on particular websites."

Google's latest post on the subject however makes no mention of the general public: "Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download." The capabilities available to Chrome-using commoners are left unspecified.

But The Register understands that the Chrome-using hoi polloi will be allowed to override Google oversight. Mixed download blocking will be managed like other mixed content, so users will be able to click on the lock icon in the browser omnibox and then select Site Settings to change the setting for "Insecure content" to "Allow."

Even so, it's clear that Google expects some site breakage. Via Twitter, Mark Amery, a software developer at biotech startup Shield Diagnostics, expressed concern about the implications for web developers.

"Warning is good, but blocking outright seems wrong to me, especially for non-executables," he wrote. "I can't magic HTTPS into existence on a site I don't own if I'd like to link to a data file it hosts, so this effectively means I just can't hyperlink to such a resource at all."

DeBlasio acknowledged that web developers will need to fix their sites, even as he admitted that warning prompts don't do much because most people just ignore them.

"Our hope is that as more of the web moves to HTTPS, this won't be a huge problem," he replied. "That said, a huge and important part of the web is essentially static content that's never going to be updated. We don't want that content to be lost. This is something that we're thinking hard about and trying to solve. Stay tuned." ®

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021