Login

Register

Login

Register

Google Chrome to start blocking downloads served via HTTP – Naked Security


Google has announced a timetable for phasing out insecure file downloads in the Chrome browser, starting with desktop version 81 due out next month.

Known in jargon as ‘mixed content downloads’, these are files such as software executables, documents and media files offered from secure HTTPS websites over insecure HTTP connections.

This is a worry because a user seeing the HTTPS padlock on a site visited using Chrome might assume that any downloads it offers are also secure (HTTP sites offering downloads are already marked ‘not secure’).

That, of course, is a risky assumption, as Google’s announcement points out:

Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements.

Google will introduce this change gradually rather than all at once, at first offering warnings about executable downloads via HTTP in versions 81 and 82 of the desktop browser.

From version 83, due in June, these will be blocked outright and Chrome will start offering warnings for archives files such as .zip.

In subsequent versions, the same warn-and-block process will start to apply for downloads such as .doc and PDFs, images, videos and music files until, by Chrome version 86 in October, all downloads via HTTP will be blocked.

Mobile versions of Chrome will use the same timetable except that each milestone will apply one version later than for the desktop version.

Enterprise and education customers will be able to disable the policy on a per-site basis using the InsecureContentAllowedForUrls policy, Google said.

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


Ads

NATIONAL CYBER SECURITY RADIO

Ads

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW