Google has revealed plans to initially warn Chrome users about “insecure” downloads and eventually block them outright. “Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files,” Joe DeBlasio of the Chrome security team wrote in a blog post. “Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements.”
Beginning with Chrome 82, due for release in April, Chrome will warn users if they’re about to download mixed content executables from a secure website.
Then, when version 83 is released, those executable downloads will be blocked and the warning will be applied to archive files. PDFs and .doc files will get the warning in Chrome 84, with audio, images, text, and video files displaying it by version 85. Finally, all mixed content downloads — a non-secure file coming from a secure site — will be blocked as of the release of Chrome 86. Right now, Google is estimating an October release for that build of the popular web browsing. The chart below lays out the Chrome team’s current plan:
“In the future, we expect to further restrict insecure downloads in Chrome,” DeBlasio wrote. This is all part of Google’s effort to fully migrate developers over to HTTPS. Last year, Google began blocking HTTPS sites from pulling down insecure page resources.
These warnings are also coming to the Android and iOS versions of Chrome, but the above schedule will be delayed by a release for the mobile platforms.
Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.