Google is set to make significant changes to the Google
Chrome browser that would eventually lead to entirely blocking the download of
files from HTTP (unencrypted) sources, starting with Chrome 83.
The new measure announced by Google refers to “mixed
content downloads,” including all non-HTTPS downloads started on secure
pages. Eventually, Google plans to block all insecure sub-resources on secure
Google plans to focus on downloaded files from unsecured
locations but offered to users on secured websites. Bad actors can use this type
of download to push files infected with malware or provide eavesdroppers with a
way to read insecurely-downloaded bank statements.
“Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads,” explains Joe DeBlasio from the Chrome security team.
“File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.”
The rollout is scheduled to begin with Chrome 81 (March
2020), but only a console warning will be offered. Chrome 86 (October 2020)
will block all content from an unsecured location, including executables,
archives, documents, images, audio, video, text, and miscellaneous.
Mobile users, on Android and iOS, will get a reprieve of
one release as it’s believed that the current platforms have better native
protection against malicious files. Google encourages developers to migrate
fully to HTTPS to avoid any future restrictions.