Google has announced that starting with the new release of the Chrome browser, it will gradually ensure that secure (HTTPS) pages only download secure files.
The plan was outlined on its official blog. Google will start blocking “mixed content downloads” (non-HTTPS downloads started on secure pages). This move follows a plan it had announced last year to start blocking all insecure sub resources on secure pages.
The reason for this new move, explained Google, was because “insecurely-downloaded files were a risk to users’ security & privacy. For instance, insecurely-downloaded programs could be swapped out for malware by attackers, helping eavesdroppers read users’ insecurely-downloaded bank statements.”
As a 1st step, Google will concentrate on insecure downloads started on secure pages. These cases were especially concerning because Chrome currently gives no indication to the user that their privacy & security are at risk.
Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, & later blocking, these mixed Content downloads. File types that pose the most risk to users (e.g., executables) will be impacted 1st, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update Sites, & minimize how many warnings Chrome users have to see.
Image credit: Google
