Google Chrome working to stop insecure HTTP downloads

Google Chrome is getting ready to launch a security feature that will prevent “insecure” HTTP downloads as HTTPS grows in popularity.

In the past, only privacy-sensitive websites like banks needed to use HTTPS encryption; however, as more websites handle our data daily, it has effectively become the default. Throughout recent years, Google has been adding new insurances to Chrome to assist with empowering the utilization of HTTPS associations at every possible opportunity.

Most importantly, any older HTTP website is now marked as Not Secure in the browser’s address bar. Additionally, Chrome prevents secure websites from using insecure web forms or providing insecure downloads by default. Mixed content refers to this combination of secure and insecure elements.

Chrome’s security

Always using secure connections is a setting that the company added to Chrome’s security settings more recently. Chrome will attempt to upgrade to the HTTPS version if you accidentally navigate to the insecure version by activating this setting. An on-screen warning prompts you to continue if there is no secure version available.

Google wants to expand that toggle to protect Chrome users from all HTTP downloads that could be unsafe, according to a new code change and accompanying explanation. Preventing downloads from any connection, even one that is associated with an unsecured website goes beyond the protections for mixed content downloads currently in place.

For instance, Google Chrome would mark the download as unsafe if you clicked on an HTTPS download link. It took you to an unreliable HTTP server before connecting you to an HTTPS connection. In a similar vein, Chrome would prevent downloads from originating from a website that is only accessible via HTTP while you are browsing that website.

This new option to prevent unsecured HTTP downloads will initially be hidden behind a Chrome flag. However, it is planned to be included in the “Always use secure connections” toggle at some point in the future.

Block insecure downloads

Enables insecure download blocking. This shows a ‘blocked’ message if the user attempts to download a file over an insecure transport (e.g. HTTP) either directly or via an insecure redirect.

#block-insecure-downloads

Lastly, the component is just barely now getting created. It’s not prone to show up for more extensive testing until Chrome 111. Set to deliver in Walk 2023, while a full send-off would probably show up later in the year.

Leave a Comment