Why Chrome Will Start Blocking Some of Your Downloads
When Google Chrome starts blocking your downloads a few months later, know that there is nothing personal about it; the browser just does its best to keep you safe. You should also know that Chrome is not flawless and you should still do antivirus and malware scans regularly and avoid crappy websites and their malware.
Clear? Here’s what’s going on. Last October, Google announced that it plans to address the mixed content issue in Chrome by preventing HTTP content from being loaded onto HTTPS sites. As Google described:
“HTTPS pages usually suffer from a problem called mixed content, where sub-resources on a page are loaded insecurely over http: //. Browsers block many types of mixed content by default, such as scripts and frames, but images, audio, and video can still load, compromising user privacy and security. For example, an attacker could spoof a blended stock chart image to mislead investors, or inject a tracking cookie into a blended resource load. Loading mixed content also leads to a confusing browser security user interface, where the page appears to be neither safe nor insecure, but somewhere in between. “
You can see this for yourself using a series of demo sites Google created . However, the most obvious to you will be when Chrome will start warning and eventually block unsafe HTTP downloads from HTTPS websites. Alerts will start with Chrome 82, which is scheduled to be released in stable on April 22nd, and Chrome 83 will begin blocking certain file types. Here is the official timeline from Google:
As for the mobile versions of the browser, the same setting of the download blocking will occur, but one cycle later. So in this case, the Android and iOS versions of Chrome still start blocking the download of HTTP executables to HTTPS websites.
Does this mean you can safely download everything (downloadable) from HTTPS sites? No. As Kapersky wrote last year:
“But the problem is that the green lock and the issued certificate do not say anything about the object itself. A phishing page can just as easily obtain a certificate and encrypt all traffic that passes between you and it.
Simply put, a green padlock ensures that no one else can spy on the data you entered. But your password can still be stolen by the site itself if it’s fake.
This is actively used by phishers: according to Phishlabs , today a quarter of all phishing attacks are carried out on HTTPS sites (two years ago it was less than 1 percent). What’s more, more than 80 percent of users believe that simply having a small green padlock and the word “Safe” next to a URL means the site is safe and they don’t think too much before entering their details. “
As always, it’s still your responsibility to ensure that you don’t download sketchy things from sketchy places, install them on your computer, and watch attackers lose control of your digital life. That means you want the usual protections in your browser – a solid AdBlocker or two , of course – and Google’s Safe Browsing settings have turned on:
Also, make sure you are using a reliable antivirus program – even a decent free program is better than none – and check your system regularly for malware . If you’re not sure which file you downloaded, run it in a sandbox or virtual machine so it doesn’t interfere with the rest of your system. And most importantly, stop visiting questionable sites.