large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Google Chrome to block all file downloads over non-HTTPS by default

Google has decided that it’s not enough to simply hope that you won’t download unknown files over unsecured connections – and so it’s going to try to stop you from doing that on Chrome altogether.

Starting with Chrome 82, the popular web browser will issue a gentle warning that downloading executable files – i.e. .exe, .apk, – over HTTP is simply a bad idea, and an on-screen prompt will ask you to reconsider.

Later, when Chrome 83 is released in June 2020, Chrome will simply stop executables from being downloaded over non-HTTPS connections altogether. In future releases, the gentle warnings will be gone, and it shouldn’t be possible to download anything – .mp3s, .pngs, zipped archives, you name it – unless it’s done over HTTPS.

Related: Best VPNs

A table of Chrome versions and different media, showing Chrome's HTTP blocking

Joe DeBlasio, a software engineer working for the Chrome security team, shared the details in a lengthy post, along with a timeline for when the files-over-HTTP portcullis would come slamming down (see above).

“As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.

“Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types.

“This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.”

Related: A new version of Opera has just landed

Desktop platforms – i.e. Windows, MacOS, Linux, and naturally, Google’s own Chrome OS – will benefit from this safety-first approach before iOS and Android, updates for which will be delayed by one release cycle.

DeBlasio signs off by encouraging devs to fully migrate to HTTPS “to avoid future restrictions,” and hints at tighter restrictions on content downloads in the future.

This suggests that even after this October persistent users will likely find a way to download ‘LinKin_p4rK_numbMP3.exe’ over HTTP by tweaking security settings, and going forwards Google may fully remove that choice from the user. In the meantime, should you accidentally wreck the family PC, don’t say that you weren’t warned.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.