Why Chrome Is Going To Start Blocking Some Of Your Downloads

When Google Chrome starts blocking your downloads in a few months, know that it’s nothing personal; the browser is just doing its best to keep you safe. You should also know that Chrome isn’t flawless, and you should still be running regular antivirus and antimalware scans—and avoiding shitty websites and their malware.

Got it? Here’s what’s happening. Google announced in October of last year that it was planning to address mixed content in chrome by preventing HTTP content from loading on HTTPS sites. As Google described:

“HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, which threatens users’ privacy and security. For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.”

You can see this for yourself using a series of demonstration websites Google created. What will be most obvious to you, however, is when Chrome starts warning and eventually blocking insecure HTTP downloads from HTTPS websites. Warnings will start with Chrome 82, scheduled for a stable release on April 22, and blockings will begin in Chrome 83 with certain types of files. Here’s the official timeline from Google:

As for mobile versions of the browser, the same download-blocking setup will happen, but one cycle later. So, in this case, Android and iOS versions of chrome still start blocking HTTP executables from being downloaded on HTTPS websites

Does this mean that you’ll be safe downloading whatever (you’re allowed to download) from HTTPS websites? No. As Kapersky wrote last year:

“But the problem is that the green lock and the issued certificate say nothing about the site itself. A phishing page can just as readily get a certificate and encrypt all traffic that flows between you and it.

Put simply, all a green lock ensures is that no one else can spy on the data you enter. But your password can still be stolen by the site itself, if it’s fake.

Phishers make active use of this: According to Phishlabs, a quarter of all phishing attacks today are carried out on HTTPS sites (two years ago it was less than 1 per cent). Moreover, more than 80 per cent of users believe that the mere presence of a little green lock and the word “Secure” next to the URL means the site is safe, and they don’t think too hard before entering their data.”

As always, the burden is still on you to ensure that you aren’t downloading sketchy things from sketchy places, installing them on your PC, and watching attackers wrestle away control of your digital life. This means you’ll want the usual protections in your browser—a solid adblocker or two, of course—and Google’s safe browsing settings turned on:

Beyond that, make sure you’re running a solid antivirus program—even a decent free one is better than none at all—and running regular antimalware scans on your system. If you’re unsure about a particular file you’ve downloaded, run it in a sandbox or virtual machine so it doesn’t mess with the rest of your system. And, most importantly, stop visiting shady websites.


Leave a Reply