As HTTPS has become more common on the web, Google Chrome is preparing to launch a security option that will block “unsafe” downloads via HTTP.
While it used to be that only privacy-sensitive sites like banks needed to be secured with HTTPS encryption, these days it has effectively become standard, especially as more sites handle our data on a daily basis. Over the past few years, Google has added new protections to Chrome to encourage the use of HTTPS connections where possible.
Most notably, the browser now marks any legacy HTTP site as “Not Secure” in the address bar. By default, Chrome also blocks secure websites from using insecure web forms or offering insecure downloads. This combination of safe and unsafe elements is called “mixed content”.
Recently, the company created a switch in Chrome’s security settings to “Always use secure connections.” Enabling this tells Chrome to attempt to “upgrade” to the HTTPS version of websites if you ever accidentally navigate to the insecure version. If a secure version is not available, a warning will appear on the screen asking if you want to continue.
According to a new code change and accompanying explanation, Google wants to expand this switch to also protect Chrome users from all potentially unsafe HTTP downloads. This goes beyond the existing mixed content download protections by blocking downloads from any connection, even linked to an insecure website.
For example, if you click on an HTTPS download link and it redirects you to an insecure HTTP server followed by a final HTTPS connection, Google Chrome will block the download as insecure. Similarly, if you browse a website that is only accessible via HTTP, Chrome will block all downloads coming from that website.
That said, just like with Chrome’s other forms of blocking unsafe sites and downloads, you’ll be able to bypass the block. That way, it’s more of a loud warning to make sure you know what you’re doing, rather than actually blocking users from potentially unsafe parts of the internet.
Initially, this new option to block insecure HTTP downloads will be locked behind a Chrome flag. Later, however, it is supposed to be available as part of the “Always use secure connections” switch.
Block unsafe downloads
Enables blocking of unsafe downloads. This displays a “blocked” message if the user tries to download a file over an insecure transport (eg HTTP) either directly or via an insecure redirect.
As the feature is currently in development, it’s not likely to arrive for wider testing until Chrome 111, which is set to launch in March 2023, while a full launch is likely to come later in the year.
More about Chrome:
FTC: We use monetized auto affiliate links. More.
Check out 9to5Google on YouTube for more news: