Google is set to make significant changes to the Google Chrome browser that would eventually lead to entirely blocking the download of files from HTTP (unencrypted) sources, starting with Chrome 83.
The new measure announced by Google refers to “mixed content downloads,” including all non-HTTPS downloads started on secure pages. Eventually, Google plans to block all insecure sub-resources on secure pages.
Google plans to focus on downloaded files from unsecured locations but offered to users on secured websites. Bad actors can use this type of download to push files infected with malware or provide eavesdroppers with a way to read insecurely-downloaded bank statements.
“Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads,” explains Joe DeBlasio from the Chrome security team.
“File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.”
The rollout is scheduled to begin with Chrome 81 (March 2020), but only a console warning will be offered. Chrome 86 (October 2020) will block all content from an unsecured location, including executables, archives, documents, images, audio, video, text, and miscellaneous.
Mobile users, on Android and iOS, will get a reprieve of one release as it’s believed that the current platforms have better native protection against malicious files. Google encourages developers to migrate fully to HTTPS to avoid any future restrictions.