As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP.
While it used to be the case that only privacy-sensitive websites like banks needed to be secured with HTTPS encryption, these days it’s effectively become the default, especially as more websites handle our data on a daily basis. Over the last few years, Google has been adding new protections to Chrome to help encourage the use of HTTPS connections wherever possible.
Most notably, the browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome also, by default, blocks secure websites from using insecure web forms or offering insecure downloads. This combination of secure and insecure elements is called “mixed content.”
More recently, the company created a toggle in Chrome’s security settings to “Always use secure connections.” Enabling this tells Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue.
According to a new code change and associated explainer, Google is looking to expand that toggle to also protect Chrome users from any and all potentially insecure HTTP downloads. This goes beyond the existing mixed content download protections by blocking downloads from any connection even associated with an insecure website.
For example, if you click an HTTPS download link and it redirects you to an insecure HTTP server followed by a final HTTPS connection, Google Chrome would block the download as unsafe. Similarly, if you’re browsing a website that’s only available through HTTP, Chrome would block any downloads originating from that site.
That said, just like with Chrome’s other forms of blocking insecure websites and downloads, you’ll be able to bypass the block. In that way, it’s more of a loud warning to make sure you know what you’re doing, rather than truly blocking users from potentially unsafe parts of the internet.
In the beginning, this new option to block insecure HTTP downloads will be locked behind a Chrome flag. Later on, though, it’s intended to be available as part of the “Always use secure connections” toggle.
Block insecure downloads
Enables insecure download blocking. This shows a ‘blocked’ message if the user attempts to download a file over an insecure transport (e.g. HTTP) either directly or via an insecure redirect.
As the feature is only just now getting developed, it’s not likely to arrive for broader testing until Chrome 111, set to release in March 2023, while a full launch would likely arrive later in the year.
More on Chrome:
- Google Chrome will start sending new releases to ‘a small percentage’ of users a week early
- Chrome’s in-page price tracking button is live on Android devices
- Google delays start of Manifest V2 Chrome extension deprecation
FTC: We use income earning auto affiliate links. More.