Non-HTTPS downloads started on secure pages are a “risk to users’ security and privacy,” with Google citing how “insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements.”
At the moment, the browser provides no indication of insecure downloads started on HTTPS pages. Chrome 82 in April will provide such a warning, starting with executables like APKs and EXEs. Appearing in the downloads bar, Google will note when a file “can’t be downloaded securely.”
This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.
Google is starting with Windows, macOS, Linux, and Chrome OS before moving to Android and iOS — following a one release delay — with version 83. This is due to mobile platforms having “better native protections” against malicious files, like Play Protect.
Chrome’s secure downloads push to block mixed content downloads will be completed with Chrome 86 in October.
- In Chrome 81 (released March 2020) and later: Chrome will print a console message warning about all mixed content downloads.
- In Chrome 82 (released April 2020): Chrome will warn on mixed content downloads of executables (e.g. .exe).
- In Chrome 83 (released June 2020): Chrome will block mixed content executables. Chrome will warn on mixed content archives (.zip) and disk images (.iso).
- In Chrome 84 (released August 2020): Chrome will block mixed content executables, archives and disk images. Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
- In Chrome 85 (released September 2020): Chrome will warn on mixed content downloads of images, audio, video, and text. Chrome will block all other mixed content downloads.
- In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
FTC: We use income earning auto affiliate links. More.