Skip to main content

Google Chrome preparing an option to block insecure HTTP downloads

As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP.

While it used to be the case that only privacy-sensitive websites like banks needed to be secured with HTTPS encryption, these days it’s effectively become the default, especially as more websites handle our data on a daily basis. Over the last few years, Google has been adding new protections to Chrome to help encourage the use of HTTPS connections wherever possible.

Most notably, the browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome also, by default, blocks secure websites from using insecure web forms or offering insecure downloads. This combination of secure and insecure elements is called “mixed content.”

More recently, the company created a toggle in Chrome’s security settings to “Always use secure connections.” Enabling this tells Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue.

According to a new code change and associated explainer, Google is looking to expand that toggle to also protect Chrome users from any and all potentially insecure HTTP downloads. This goes beyond the existing mixed content download protections by blocking downloads from any connection even associated with an insecure website.

For example, if you click an HTTPS download link and it redirects you to an insecure HTTP server followed by a final HTTPS connection, Google Chrome would block the download as unsafe. Similarly, if you’re browsing a website that’s only available through HTTP, Chrome would block any downloads originating from that site.

That said, just like with Chrome’s other forms of blocking insecure websites and downloads, you’ll be able to bypass the block. In that way, it’s more of a loud warning to make sure you know what you’re doing, rather than truly blocking users from potentially unsafe parts of the internet.

In the beginning, this new option to block insecure HTTP downloads will be locked behind a Chrome flag. Later on, though, it’s intended to be available as part of the “Always use secure connections” toggle.

Block insecure downloads

Enables insecure download blocking. This shows a ‘blocked’ message if the user attempts to download a file over an insecure transport (e.g. HTTP) either directly or via an insecure redirect.

#block-insecure-downloads

As the feature is only just now getting developed, it’s not likely to arrive for broader testing until Chrome 111, set to release in March 2023, while a full launch would likely arrive later in the year.

More on Chrome:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Kyle Bradshaw Kyle Bradshaw

Kyle is an author and researcher for 9to5Google, with special interests in Made by Google products, Fuchsia, and uncovering new features.

Got a tip or want to chat? Twitter or Email. Kyle@9to5mac.com