Google Chrome to block all file downloads over non-HTTPS by default
Google has decided that it’s not enough to simply hope that you won’t download unknown files over unsecured connections – and so it’s going to try to stop you from doing that on Chrome altogether.
Starting with Chrome 82, the popular web browser will issue a gentle warning that downloading executable files – i.e. .exe, .apk, – over HTTP is simply a bad idea, and an on-screen prompt will ask you to reconsider.
Later, when Chrome 83 is released in June 2020, Chrome will simply stop executables from being downloaded over non-HTTPS connections altogether. In future releases, the gentle warnings will be gone, and it shouldn’t be possible to download anything – .mp3s, .pngs, zipped archives, you name it – unless it’s done over HTTPS.
Related: Best VPNs
Joe DeBlasio, a software engineer working for the Chrome security team, shared the details in a lengthy post, along with a timeline for when the files-over-HTTP portcullis would come slamming down (see above).
“As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
“Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types.
“This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.”
Related: A new version of Opera has just landed
Desktop platforms – i.e. Windows, MacOS, Linux, and naturally, Google’s own Chrome OS – will benefit from this safety-first approach before iOS and Android, updates for which will be delayed by one release cycle.
DeBlasio signs off by encouraging devs to fully migrate to HTTPS “to avoid future restrictions,” and hints at tighter restrictions on content downloads in the future.
This suggests that even after this October persistent users will likely find a way to download ‘LinKin_p4rK_numbMP3.exe’ over HTTP by tweaking security settings, and going forwards Google may fully remove that choice from the user. In the meantime, should you accidentally wreck the family PC, don’t say that you weren’t warned.