Google Outlines Chrome Browser Schedule for Blocking Insecure Web Downloads -- Redmondmag.com

Google Outlines Chrome Browser Schedule for Blocking Insecure Web Downloads

By Kurt Mackie
02/07/2020

Google is planning to issue warnings to Chrome browser users about potentially insecure content that can get downloaded when visiting Web sites.

This effort will kick off in April with Chrome version 82, which will start warning users about insecure executable files on sites, a Thursday Google announcement explained. The warnings about executable files is just the first in a series. Eventually, future Chrome browser releases will distrust and block all insecure content downloads.

Other file types on Web sites pose security risks. Future Chrome browser releases also will warn end users about archive files and document files, as well as image, audio and video files.

Chrome users first will get warnings about the insecure files. Later, site downloads will get blocked. Here's Google's schedule on when those actions will occur for desktop operating system users:

**[Click on image for larger view.]** *Insecure content download warnings and blocks for Chrome desktop browsers. (Source: Feb. 6 Google security blog)*

The schedule will occur a little later for Android and iOS mobile OS users. It'll be off by one Chrome version release.

Google had explained the security issue back in October as a sort of "mixed messages" problem, where HTTPS connections also rely on content that's downloaded via the less secure HTTP protocol:

HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, which threatens users' privacy and security.

The mixed use of protocols creates a confused security state for browsers. It also can be exploited by attackers. For instance, misleading investment stock charts can be added to seemingly secure Web sites or tracking cookies can be injected, Google explained.

Site developers can avoid the coming warnings and blocks for Chrome users by ensuring that only the HTTPS protocol is used for downloads. It's possible to test turning on these warnings with the current Chrome Canary test version of the browser.

Blocking can be disabled at sites, but doing so will be moving contrary to Google's direction, which is to "further restrict insecure downloads in Chrome."

Back in October, Google had indicated that Chrome version 80 would start permitting mixed images to load in browsers, but users would see a "Not Secure" message in the browser's "omnibox" up top. Chrome 80 also was said back then to compel the loading of audio and video files via HTTPS, blocking downloads that failed.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.