As the battle against cybercriminals and computer viruses ramps up, Google has announced new measures to prevent downloads from non-HTTPS domains.
The main aim of this Chrome development is to counterbalance some of the confusion and complacency that can trip up internet users. There is evidence that some people are lulled into a false sense of security that all downloads on HTTPS websites are safe. In fact, the content could be sitting on an HTTP site, leaving the door open for security risks.
By blocking all non-HTTPS downloads, Google is seeking to close this door, as well as stopping users from accessing material from HTTP sites due to lack of understanding what the ‘S’ means!
HTTPS v HTTP
Just a quick refresher on the difference between HTTP and HTTPS websites.
The ‘S’ indicates that the domain has an SSL (Secure Sockets Layer) certificate attached to it. This gives internet users an important level of security and privacy and is essential if the site requires them to provide personal information such as payment details. An SSL certification – viewed as a digital key – indicates a level of encryption and authentication that makes downloads far more secure too.
If an internet user does interact with an HTTP site, including downloading information, there is a risk of inadvertently putting malware or spyware on their computer. This could lead to loss of sensitive personal information such as credit card details and passwords, or infection with a serious computer virus.
When will the new Chrome block happen?
Google has already taken robust steps to help users to be safer online in its Chrome 80 update. This included a new default measure to block mixed audio and video resources from non-HTTPS sources.
The technology giant is expected to bring in the new blocking measure when the new version of Chrome web browser goes live. The Chrome 83 update – due in June 2020 – will sift out and block what Google refers to as “risky downloads”.
In the meantime, when Chrome 81 goes live (due March) Google will attach warnings to it to urge users to be cautious of mixed content downloads and .exe files.
This process enables Google – and Chrome browser users – to tackle the issue over the coming months. Step one will be to root out downloads on secure pages that are sitting on HTTP domains. A warning will flag up the potential risks. By Chrome 83, it is expected that they will be blocked automatically.
From then onwards, the technology giant’s Chrome updates are expected to get increasingly strict on where website content can come from. Including issuing warnings and eventually blocking archives, disk image files and mixed content downloads of images, audio, video, and text.
By Chrome 86 (due October 2020) it’s expected that Google will utterly block all mixed content downloads from non-HTTPS websites.
This is an issue that other browsers are also aware of. For example, Mozilla has announced it will clamp down on the problem but it has so far not revealed its solution.
Exceptions to the new Chrome measure
Can you get around the new non-HTTPS download block?
There will be occasions when internet users do still need to download items from an HTTP site after the block goes live. This could be, for example, material taken from Intranet pages or educational sites.
Google has recognised this and has created “InsecureContentAllowedForUrls”, a system to bypass the block and allow HTTP downloads.
What do you need to do to get ready for download blocking?
It is important to contact your hosting provider or website developer to make sure that all your files are covered by HTTPS domains.
There are ways to test mixed content downloads in the current version of Chrome Canary or in Chrome 81 once that is released, if developers enable the “Treat risky downloads over insecure connections as active mixed content” flag at [chrome://flags/#treat-unsafe-downloads-as-active-content].
For more information on preparing for these changes and migrating all content to HTTPS sites, please contact the team at catalyst2.