Starting mid-2020, you won’t be able to download certain files on Chrome — here’s why
Time after time, we’ve witnessed browser giants making security-related decisions that have a significant impact on end-users, taking the web in a more secure direction. This time it’s Google, who has announced a plan to block HTTP downloads in Google Chrome, the most popular browser in the world.
Here’s what Google is changing, and why it’s a good thing for the web.
Let’s hash it out.
Why Block HTTP Downloads?
As we know, Google Chrome and other major browsers show a “Not Secure” warning when you visit a non-HTTPS website. This way, everyday users are informed about the insecure connection so that they (hopefully) don’t exchange any critical information with that website. This has played a pivotal role to drive user awareness and HTTPS adoption.
However, that’s not enough.
What if there’s a website that has an SSL certificate installed on it, but is quietly serving their file downloads via HTTP? What if hackers use this opening to inject malware into your system? It’s certainly a possibility! In technical terms, such a mixture of HTTP content on an HTTPS website is referred to as “mixed content.” And with a “mixed download”, most users could easily fall for it as there’s no indication to notify users when the download link is HTTP. It’s definitely a hole in HTTPS security, and Google has decided to fill it by blocking HTTP downloads from HTTPS websites.
What Is Going to Be Blocked?
According to Google’s announced plan, Chrome 83 (to be released in June 2020) will begin blocking “the file types that pose the most risk to users.” These file types include executable files such as .exe and .apk. In subsequent Chrome releases, Google will include other file types and, ultimately, block all file types in Chrome 86, which is to be released in October 2020. So, after October 2020 (if you update Chrome), you won’t be able to download any file that is being served over HTTP if you click the download link from an HTTPS URL.
Note that if a website uses HTTP, users can still download HTTP files. This update targets HTTPS sites that use HTTP download URLs, because the browser is showing the site to be secure but the download actually isn’t secure.
Google’s Six-Phased Approach to Blocking
Although the blocking process will be initiated with the release of Chrome 83 (to be released in June 2020), Google first wants to educate users and also give time for website owners to remove mixed content from their websites. That’s why Chrome 81 (to be released in March 2020) will provide a console warning message about all mixed content downloads.
This process, which begins in March, has been divided into six phases by Google. Here’s the outline is given by Google for desktop platforms (Windows, macOS, Chrome OS, and Linux):
- Chrome 81 (to be released in March 2020) — Chrome will print a console message to warn webmasters about all mixed content downloads.
- Chrome 82 (to be released in April 2020) — Chrome will start warning users about mixed content downloads of executables (.exe, .apk, etc.) and print a console warning for all other types of files.
- Chrome 83 (to be released in June 2020) — This is when the blocking phase will begin. Chrome will begin blocking mixed content executables. Also, it’ll warn users on mixed content archives (.zip, .iso, etc.). Console warning messages for all other types of files will continue.
- Chrome 84 (to be released in August 2020) — Chrome will expand its blocklist to archives and disk images. On other mixed content file types such as .pdf and .docx files, Chrome will display a warning to the users. For images, audio, and video files, console warnings will continue.
- Chrome 85 (to be released in September 2020) — Chrome will block all files except images, audio, and video files. A warning message will be shown to users before downloading these files.
- Chrome 86 (to be released in October 2020) — Chrome will block all content being served on non-secure HTTP when you click the download link via an HTTPS website. In other words, Chrome will block all mixed content downloads.
For mobile phones (Android and iOS), Chrome will delay the rollout by one release. This means that it’ll start showing warnings in Chrome 83, instead of Chrome 82.
Does Your Website Have Mixed Content?
This Google Chrome update will not only force hackers to rethink their strategy but some legitimate websites, too, will have to take a new look at their website. Many website administrators might not even be aware of what mixed content they have on their website. Well, we’re here to help you out.
To check mixed content/insecure links on your website, you can go to our “Why No Padlock?” tool and get all mixed content links at your fingertips. Once you know what mixed content you have on your site, you can migrate it to HTTPS to secure your website. Check out our blog post How to Find and Fix Mixed Content Warnings on HTTPS Sites for tips on how to switch content to fully HTTPS.
Although Google has put in extensive efforts to get insecure websites to switch to HTTPS and to raise user awareness regarding HTTPS, I always felt that mixed content was a dimension that needed to be addressed. Google has now come down on mixed content downloads, and this will surely mark a milestone in enhancing privacy and security on the internet. We hope and expect other browsers to follow suit to protect user privacy and security.
Manage Digital Certificates like a Boss
14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.