The internet has allowed us to improve our lives to a great extent. However, the advent of technology also has its darker side. The exponential growth of the internet has also brought the idea of the dark web, and with it comes the thought of cybercriminals waiting for the vulnerabilities to allow them to strike.
We are currently witnessing a strike back by the IT behemoths. There have been quite a few security-related decisions taken by the web browsers having a significant impact on its end users. One of them Google has decided to block http downloads from HTTPs websites through Google Chrome – the most popular browser that has almost 63.67% of the market share.
What is the new update with Google?
As per Chrome security team, Chrome will ensure that secure (HTTPS) pages only download safe files. In the future, we expect to further restrict insecure downloads in Chrome.
Google has come up with a decision to block all downloads of risky executables. According to a press release, there is a plan to introduce a new Google Chrome update in June – Chrome 83. The browser authority said that it looks forward to blocking the download of files from sites that appear to be secure (i.e., HTTPS websites), but the downloads are loaded through the HTTP website.
The pop-up would be somewhat like the picture below.
Now, for the time being, Google does not wish to block downloads starting from HTTP websites. The reason is that the browser is already marking these websites as “Not secure” on the address bar. The point that the browser giant is making is that users could be tricked into believing that the download is from a secure HTTPS website, but it may not always be accurate.
Files to be blocked, and why?
The Chrome 83 will start with blocking the executable files that pose the highest risk to internet users (.exe and .apk). Gradually, through later releases, Google will block all files types through the Chrome 86 release in October 2020. Users will not be able to download files over HTTP if you are downloading using the HTTPS site.
While Google is already showing red flags HTTP websites as insecure, this update targets all websites that have an SSL certificate but serving their downloads through the HTTP site. Having downloads over HTTP on an HTTPS site has its inherent risks. This “mixed content” download could lead to some unscrupulous elements injecting some viruses or malware into your system. It isn’t straightforward for the user to know that the download is from an HTTP URL. It is this security vulnerability that Google is trying to address.
A phased approach to block risky downloads
Google Chrome will start blocking unsafe downloads in a phased manner that we will talk about now.
Chrome 81: This browser version will be released in March 2020. It will show a console message to all webmasters and users about all downloads with mixed content.
Chrome 82: Projected to be released later in April this year, it will warn internet users against executable files and show a console warning for all other file types.
Chrome 83: This release in June 2020 will start to block executables files. Chrome will block executable files with mixed content downloads. It will warn users about archive files with mixed content while console warnings for other file types will be continued.
Chrome 84: Through this release in August 2020, Chrome will additionally block archives and disk images. Warnings will be shown against mixed content downloads namely pdf, MS Office documents, etc. Console warnings will not be displayed against mixed content for videos, audio, text, and images.
Chrome 85: In keeping with its stage-wise blocking of risky downloads, this release in September later 2020 year will see Chrome blocking all file types except text, audio files, videos, and images. For these files, a console warning will be shown.
Chrome 86: Finally, Google Chrome will block all perilous mixed content downloads. This release will be in October 2020.
There has been a catch, though. Google will provide some leeway in controlled situations and may allow downloads in a controlled environment, like in intranets.
It’s not only Google that has been contemplating this activity. There are similar updates planned for mobile users on iOS and Android. Mozilla had also suggested such a move, but there has been no concrete announcement from them. Shortly Firefox could also have an update to block mixed content.
What can you do?
It is in the best interests of webmasters to have the entire content on HTTPS. The substantial benefit is that it will encrypt the communication between the web server and the browser. This way, the communication cannot be read by any third-party and provides the necessary security to protect the information about the visitors to your site. However, some websites may not have all the web pages migrated into HTTPS. There are several SSL providers offering SSL certificates that may fit within your budget. Still many webmasters may not even be aware of the pages that load on HTTP. There are various tools to find out the pages always on HTTPS.
It is quite frustrating to have mixed content despite installing an SSL certificate. You must apply the HTTPS connection for all the web pages. If you find anything amiss about mixed content warning, you should contact your developer to fix it.
A Bottom points
Google has taken the initiative to ensure the internet is safe for users on its Google Chrome browser. Having an insecure website will anyways tank your SERP rankings as Google prioritizes HTTPS websites. Taking a step forward, Google is deploying a series of updates to take the challenge of mixed content head-on.
Over a slew of releases, Google Chrome will block downloads of mixed content to ensure a safer internet for users of its browser. It serves in your best interest to migrate all your web pages to the HTTPS version. If you are still on HTTP, you will need to install an SSL certificate soon.