Google To Block Insecure Mixed Content Downloads From Chrome 82

Advertisement
Advertisement

Google's browser will begin to be much safer in terms of insecure mixed content downloads starting with Chrome 82. That's according to a recently reported blog post from the company that highlights exactly how and why the company is blocking those.

For clarity, mixed content downloads is a term that refers to downloads that are loaded over an insecure HTTP connection. In particular, those occur when those downloads stem from a site that is itself loaded over a secure HTTPS connection. Starting from Chrome 82, Google will be blocking executable files from being downloaded in those circumstances.

The change here actually falls in line with other recent changes Google has been making to security on the web. Namely, the company has been pushing to stop the abuse of cross-site cookie sharing. But it's also begun to push web developers to utilize more secure HTTPS connections. That includes recent changes to Chrome 80 for Android wherein the browser automatically tries to use HTTPS even on sites that aren't set up that way.

Advertisement

With this change in place, sites will also be forced to ensure that their download connections are at least as secure. That will also help prevent downloads from being hijacked or swapped out by bad actors, ensuring users are safer with their downloads overall.

The timeline for full blocking of mixed content downloads in Chrome

Now, full blocking of mixed content downloads won't be in place with Chrome 82. Instead, Google is giving developers apt time to implement changes needed to ensure their content is secure. That means that a console warning will be in place from version 81 but end users won't see a warning until Chrome 82. Those are slated for mid-March and late-April, respectively.

User-side blocking won't start happening until Chrome 83, tentatively set for release in June. Initial blocking will only be put on executable files. Those are files that execute to run or install a program or app such as those with .exe or .apk file extensions.

Advertisement

Chrome 84, in August, will add in blocking of archive files such as .zip and .iso files. Chrome 85 is expected to land in September. That will add in another layer of blocking, specifically for non-safe types such as PDFs and other documents.

Finally, from Chrome 86, Google will implement blocking on remaining file types. That will include audio, video, images, and text extensions. Version 86 of Chrome is expected to arrive around an October timeframe this year.

What about Android and iOS?

As noted above, Google is already pushing web developers to make sites that utilize HTTPS connections for Android gadgets. The same holds true for Apple's iOS devices. That's not surprising because Android usually falls in line with desktop platforms in terms of Chrome features. But it's going to be a bit slower in terms of blocking mixed content downloads for mobile.

Advertisement

The search giant will be delaying the implementation of first warnings about and then blocking the downloads for Android and iOS. For those platforms, the process will be a full version number behind. So warnings on mobile devices will start in Chrome 83 and then step forward with each successive version number in a similar to the timeline outlined above.

google mix dl table timeline
Chrome mixed content download blocking timeline from Google