{"id":12053,"date":"2020-02-10T11:57:27","date_gmt":"2020-02-10T16:57:27","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=12053"},"modified":"2020-02-21T14:36:13","modified_gmt":"2020-02-21T19:36:13","slug":"browser-watch-google-chrome-to-block-http-downloads","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/browser-watch-google-chrome-to-block-http-downloads\/","title":{"rendered":"Browser Watch: Google Chrome to Block HTTP Downloads"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Starting mid-2020, you won\u2019t be able to download certain files on Chrome \u2014 here\u2019s why<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Time after time, we\u2019ve witnessed browser giants making security-related decisions that have a significant impact on end-users, taking the web in a more secure direction. This time it&#8217;s Google, who has <a href=\"https:\/\/blog.chromium.org\/2020\/02\/protecting-users-from-insecure.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">announced a plan<\/a> to block HTTP downloads in Google Chrome, <a href=\"https:\/\/www.w3counter.com\/globalstats.php\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">the most popular browser in the world<\/a>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s what Google is changing, and why it\u2019s a good thing for the web.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Block HTTP Downloads?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As we know, Google\nChrome and other major browsers show a &#8220;Not Secure&#8221; warning when you\nvisit a non-HTTPS website. This way, everyday users are informed about the\ninsecure connection so that they (hopefully) don&#8217;t exchange any critical\ninformation with that website. This has played a pivotal role to drive user\nawareness and HTTPS adoption.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, that\u2019s not\nenough. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What if there\u2019s a website that has an <a href=\"https:\/\/www.thesslstore.com\/new-to-ssl\/what-is-ssl-tls.aspx\">SSL certificate<\/a> installed on it, but is quietly serving their file downloads via HTTP? What if hackers use this opening to inject malware into your system? It\u2019s certainly a possibility!&nbsp; In technical terms, such a mixture of HTTP content on an HTTPS website is referred to as &#8220;mixed content.&#8221; And with a \u201cmixed download\u201d, most users could easily fall for it as there\u2019s no indication to notify users when the download link is HTTP. It&#8217;s definitely a hole in HTTPS security, and Google has decided to fill it by blocking HTTP downloads from HTTPS websites.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Is Going to Be Blocked? <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">According to Google\u2019s announced plan, Chrome 83 (to be released in June 2020) will begin blocking \u201cthe file types that pose the most risk to users.\u201d These file types include executable files such as .exe and .apk. In subsequent Chrome releases, Google will include other file types and, ultimately, block all file types in Chrome 86, which is to be released in October 2020. So, after October 2020 (if you update Chrome), you won\u2019t be able to download any file that is being served over HTTP if you click the download link from an HTTPS URL.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Note that if a website\nuses HTTP, users can still download HTTP files. This update targets HTTPS sites\nthat use HTTP download URLs, because the browser is showing the site to be\nsecure but the download actually isn\u2019t secure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Google\u2019s Six-Phased Approach to\nBlocking <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Although the blocking\nprocess will be initiated with the release of Chrome 83 (to be released in June\n2020), Google first wants to educate users and also give time for website\nowners to remove mixed content from their websites. That&#8217;s why Chrome 81 (to be\nreleased in March 2020) will provide a console warning message about all mixed\ncontent downloads.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"343\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/mix_dl_table-1024x343.png\" alt=\"Graphic of the Chrome 81 - Chrome 86 updates that are planned for release\" class=\"wp-image-12054\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/mix_dl_table-1024x343.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/mix_dl_table-300x100.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/mix_dl_table-768x257.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/mix_dl_table.png 1530w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Graphic source: Google&#8217;s Chromium Blog (<a href=\"https:\/\/blog.chromium.org\/2020\/02\/protecting-users-from-insecure.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">https:\/\/blog.chromium.org\/2020\/02\/protecting-users-from-insecure.html<\/a>)<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">This process, which\nbegins in March, has been divided into six phases by Google. Here\u2019s the outline\nis given by Google for desktop platforms (Windows, macOS, Chrome OS, and Linux):<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Chrome 81 (to be released in March 2020) <\/strong>\u2014 Chrome will print a console message to warn webmasters\nabout all mixed content downloads.<\/li><li><strong>Chrome 82 (to be released in April 2020)<\/strong> \u2014 Chrome will start warning users about mixed content\ndownloads of executables (.exe, .apk, etc.) and print a console warning for all\nother types of files.<\/li><li><strong>Chrome 83 (to be released in June 2020)<\/strong> \u2014 This is when the blocking phase will begin. Chrome\nwill begin blocking mixed content executables. Also, it\u2019ll warn users on mixed\ncontent archives (.zip, .iso, etc.). Console warning messages for all other\ntypes of files will continue.<\/li><li><strong>Chrome 84 (to be released in August 2020)<\/strong> \u2014 Chrome will expand its blocklist to archives\nand disk images. On other mixed content file types such as .pdf and .docx files,\nChrome will display a warning to the users. For images, audio, and video files,\nconsole warnings will continue.<\/li><li><strong>Chrome 85 (to be released in September 2020)<\/strong> \u2014 Chrome will block all files except images,\naudio, and video files. A warning message will be shown to users before\ndownloading these files.&nbsp; <\/li><li><strong>Chrome 86 (to be released in October 2020)<\/strong> \u2014 Chrome will block all content being served\non non-secure HTTP when you click the download link via an HTTPS website. In\nother words, Chrome will block all mixed content downloads.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"820\" height=\"356\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/chrome-insecure-download-warning.png\" alt=\"Graphic of what a warning will look like for insecure downloads from HTTPS websites (mixed content warning)\" class=\"wp-image-12056\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/chrome-insecure-download-warning.png 820w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/chrome-insecure-download-warning-300x130.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/chrome-insecure-download-warning-768x333.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><figcaption> Graphic source: Google&#8217;s Chromium Blog (<a rel=\"noreferrer noopener\" href=\"https:\/\/blog.chromium.org\/2020\/02\/protecting-users-from-insecure.html\" target=\"_blank\">https:\/\/blog.chromium.org\/2020\/02\/protecting-users-from-insecure.html<\/a>) <\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">For mobile phones\n(Android and iOS), Chrome will delay the rollout by one release. This means\nthat it\u2019ll start showing warnings in Chrome 83, instead of Chrome 82.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Does Your Website Have Mixed Content?\n<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This Google Chrome\nupdate will not only force hackers to rethink their strategy but some\nlegitimate websites, too, will have to take a new look at their website. Many website\nadministrators might not even be aware of what mixed content they have on their\nwebsite. Well, we\u2019re here to help you out.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To check mixed\ncontent\/insecure links on your website, you can go to our <a href=\"https:\/\/www.thesslstore.com\/ssltools\/why-no-padlock.php\">&#8220;Why No Padlock?&#8221; tool<\/a> and get all mixed content links at your\nfingertips. Once you know what mixed content you have on your site, you can\nmigrate it to HTTPS to secure your website. Check out our blog post <a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-find-and-fix-mixed-content-warnings-on-https-sites\/\">How\nto Find and Fix Mixed Content Warnings on HTTPS Sites<\/a> for tips on how to\nswitch content to fully HTTPS.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"707\" height=\"72\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/why-no-padlock-tool-screenshot.png\" alt=\"\" class=\"wp-image-12058\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/why-no-padlock-tool-screenshot.png 707w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/why-no-padlock-tool-screenshot-300x31.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/why-no-padlock-tool-screenshot-698x72.png 698w\" sizes=\"auto, (max-width: 707px) 100vw, 707px\" \/><figcaption>Screenshot of our &#8220;Why No Padlock?&#8221; tool.<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Final Word<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Although Google has put in extensive efforts to get insecure websites to switch to HTTPS and to raise user awareness regarding HTTPS, I always felt that mixed content was a dimension that needed to be addressed. Google has now come down on mixed content downloads, and this will surely mark a milestone in enhancing privacy and security on the internet. We hope and expect other browsers to follow suit to protect user privacy and security.<\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n","protected":false},"excerpt":{"rendered":"<p>Starting mid-2020, you won\u2019t be able to download certain files on Chrome \u2014 here\u2019s why Time after time, we\u2019ve witnessed browser giants making security-related decisions that have a significant impact&#8230;<\/p>\n","protected":false},"author":10,"featured_media":12060,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16,17,10200],"tags":[155,11679],"class_list":["post-12053","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","category-industry-lowdown","category-monthly-digest","tag-google-chrome","tag-mixed-content","post-with-tags"],"views":22101,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/google-chrome-update-browser.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=12053"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12053\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/12060"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=12053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=12053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=12053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}