Google has revealed plans to initially warn Chrome users about “insecure” downloads and eventually block them outright. “Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files,” Joe DeBlasio of the Chrome security team wrote in a blog post. “Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements.”

Beginning with Chrome 82, due for release in April, Chrome will warn users if they’re about to download mixed content executables from a secure website.
Image: Google

Then, when version 83 is released, those executable downloads will be blocked and the warning will be applied to archive files. PDFs and .doc files will get the warning in Chrome 84, with audio, images, text, and video files displaying it by version 85. Finally, all mixed content downloads — a non-secure file coming from a secure site — will be blocked as of the release of Chrome 86. Right now, Google is estimating an October release for that build of the popular web browsing.

“In the future, we expect to further restrict insecure downloads in Chrome,” DeBlasio wrote. This is all part of Google’s effort to fully migrate developers over to HTTPS. Last year, Google began blocking HTTPS sites from pulling down insecure page resources.

Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.

The Verge