Chrome is getting option to block insecure HTTP downloads


According to a recent code change by the company, Google Chrome is getting ready to provide a setting to restrict insecure HTTP downloads. Recently, Google Chrome got Memory Saver and Energy Saver modes.

To encourage the adoption of HTTPS connections, Google has been updating Chrome with additional security features over the past few years. Now that so many websites handle our personal information, HTTPS encryption is the norm rather than the exception, whereas previously it was required only of privacy-sensitive sites, including banks.

In Chrome’s security settings, the company has recently incorporated a toggle that says “Always use secure connections.” If you turn this on, Chrome will try to “upgrade” websites to the HTTPS version if you accidentally go to the insecure version. If there isn’t a secure version, you’ll see a message on the screen asking if you still want to go ahead.

Most importantly, any older HTTP site is now marked as “Not Secure” in the address bar. Chrome also prevents secure websites from using web forms or downloads that are not secure by default. “Mixed content” is the term for this mix of protected and unsecure sections.

Following a new code update, Google intends to improve the protection of Chrome users against potentially unsafe HTTP downloads. This goes beyond the precautions that are already in place for downloading mixed content because it stops downloads from any connection, even those that are connected to websites that aren’t safe.

Add support for insecure download blocking

This CL adds the implementation for insecure download blocking. When the previously-added flag is enabled, it will show a warning for all downloads that were not securely delivered. This warning must be explicitly ignored before the download will complete.

  • Insecure downloads can be insecure because of:
  • The initiating page being insecure,
  • The final file URL being insecure, or
  • Any redirect along the way being insecure.

For example, if you visit an HTTPS download link and are redirected to an unsecured HTTP server, Google Chrome will terminate the download as unsafe. Also, Chrome blocks download from HTTP-only websites.

Availability

Regarding the availability of this feature, it’s still under development, so it probably won’t be available for widespread testing until Chrome 111, which is scheduled to release in March 2023. A complete launch would most likely occur later in the year.

According to the code changes, it is mentioned that

This implementation is designed to let mixed download blocking behavior take precedence over insecure download blocking generally. That means that any download that’s a mixed download is still blocked silently.

Via