Google Chrome Will Soon Start Blocking Insecure Downloads

"Google has revealed plans to initially warn Chrome users about 'insecure' downloads and eventually block them outright," reports The Verge. The warnings will begin in April: "Today we're announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files," Joe DeBlasio of the Chrome security team wrote in a blog post. "Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements."

Beginning with Chrome 82, due for release in April, Chrome will warn users if they're about to download mixed content executables from a secure website. Then, when version 83 is released, those executable downloads will be blocked and the warning will be applied to archive files. PDFs and .doc files will get the warning in Chrome 84, with audio, images, text, and video files displaying it by version 85. Finally, all mixed content downloads — a non-secure file coming from a secure site — will be blocked as of the release of Chrome 86. Right now, Google is estimating an October release for that build of the popular web browsing.

Bad!

[fustakrakich]

Let me decide what to download and which sites to enter!

Re:Bad!

[JustAnotherOldGuy]

Let me decide what to download and which sites to enter!

Exactly....as long as there's a way to override this then I'm okay with it, but stop holding my hand to the point where you won't fucking let go.

Warn me, nag me, chastise me, blah blah blah, but if I really really want to do it, get the hell out of my way.

Re:Bad!

[fustakrakich]

Google [maybe as a hired contractor] is weaponizing HTTPS to control what you see on the internet.

Re:Bad!

[Tim Hamilton]

What is the end game? Does Google or perhaps the US government have a way to gain a monopoly on certificates? I have wondered this for a while. When you have forced everyone to use TLS and no one's browser supports HTTP anymore and you have a monopoly on the certs, that means that you would pick and choose who gets to stay on the web.

Is this feasible, or am I being paranoid?

Re:

[AmiMoJo]

It's paranoia. If they did that it would be rejected by the rest of the world who want their own certificate authorities that they trust. For example the EU and China are not going to be okay with their certificate authorities, managing their local TLDs, being removed from browsers.

It would be easier for the US just to create a Chinese style firewall for the entire country, which I think it also highly unlikely.

Re:

[fulldecent]

The end game is that the United States National Security Agency previously infiltrated Google to take user data without a warrant and going forward Google is changing the whole world so that nobody can take user data without a warrant.

Compare that to Apple, who stores more customer private than any other company. Apple wanted to encrypt (end-to-end customer encrypte) this so that it could not access its customer's data. The FBI asked it not to do this and so Apple abandoned its plan.

Re:

[Hylandr]

Google is already a weapon. A terrible weapon. *Grabs Tin Hat*

Every credit card or bank login you have ever visited. Your security questions AND your two factor authentication.

You have ever typed into the Google product.

The economies of nations and it's peoples finances can be completely locked out. Go buy some gas? Get to work? Ship or buy food?

The top bidder isn't for money but for market share. *Cough* China * Cough*

Re: Bad!

[Malays Boweman]

Time to switch to Firefox. I don't need a heartless multinational corporation to tell me what to do.

Re:

[apoc.famine]

Lol, Firefox, which now, when you open a new tab, tells you that you have to restart the whole browser before doing anything else because it updated in the background?

It's lovely when you have a bunch of shit open in other tabs that won't come back to the state you left it in if you reboot.

Re:

[houstonbofh]

Not a problem in Linux where you control your upgrades. Just sayin... :)

Re:

[JustAnotherOldGuy]

Not a problem in Linux where you control your upgrades. Just sayin... :)

Ummm, this happens on Linux too. It drives me bonkers, you literally can't get past it without doing the update.

Re:

[houstonbofh]

If you install the browser with the package management system, it only upgrades with that package management system. And you totally control that. Yes, you can set it to auto update... But you can also not.

Re:

[Malays Bowman]

I wonder how many people who know little past some basic terminal commands would even think of doing anything like this, let alone know how to do it. :\

unattended-upgrades by default

[tepples]

Yes, you can set it to auto update... But you can also not.

And most people don't change the default, which for Ubuntu is to turn on unattended-upgrades [debian.org]. I'm aware that Ubuntu is only one of many distributions of X11/Linux, but do more desktop Linux distributions have auto update on or off after installation?

Re:

[JustAnotherOldGuy]

You can set Mint to ask permission for all updates. but Firefox will still sometimes ambush you and force you to update, often losing some screens that have any kind of in-process thing going like forms or deeply-scrolled pages.

Re:

[Malays Bowman]

I'm trying to remember when we got to the point where the vast majority became willing to just bend down and take it :\

  Heartless Multinational corporation: "We will abuse you and you will like it"

  Heartless World LLC: "We won't abuse you as much as HMnC but we will abuse you" :\

Re:

[GuB-42]

I think the trick will be to copy the link and paste it in the address bar of a new tab.
The same trick that is used to hide the referer, for example to bypass anti-hotlinking protections.

Re:

[houstonbofh]

I would pay good money for a STFU browser that let me connect to any website, including self signed certs, without warning. And actually let me connect to my old printer without having to clock OK 1000 times on java.

Re:

[zenasprime]

Chrome has a lot of negative attributes (it's a resource hog for one) but their insistence on moderating my ability to use the web as I see fit has pretty much sealed the deal for me. Chrome is a heaping pile of garbage for anyone looking to do things on the web other then the corporately sanctioned activities.

Re:

[fustakrakich]

The whole HTTPS thing is also bogus, it's a trap, designed to control the "unauthorized" distribution of information. Just hack the cert, and you can redirect/block anything.

Re:

[tepples]

Seriously, either skip SSL completely so your downloads work, or use SSL on both the downloads and the links to them!

This will only encourage site operators to "skip SSL completely so your downloads work," especially for (say) a page hosting an index of download URLs submitted by users.

Re: Bad!

[fred6666]

Why? You might want https to process payments or authenticate users. But you may not care that your public files are not sent encrypted.
I don't have any problem with mixing HTTP and HTTPS. Both have their use case.

Signing-only TLS?

[tepples]

But you may not care that your public files are not sent encrypted.

Is there a way to send them digitally signed (by the server) but not encrypted? I'm not aware of any signing-only cipher suites in TLS.

Re:

[Shaitan]

""Not care" generally means it doesn't matter either way."

Not true, it requires effort and therefore expense to needlessly encrypt. Also you are pretending that the site which links files also controls them and that is not necessarily the case.

You don't have to go very far out of your way to create this scenario at all. Slashdot has submissions all days long, some of them link to files such as the NSA python FOIA request thing not too far back. If those files happen to be on http:// sources they'll be block

this is crazy

[mister.woody]

I can accept a warning but this is too much. I hope it will be easy to disable such a feature. Otherwise it is just another form of censorship.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Shaitan]

"It's only mixed content sites where it appears to the user that the page is secure but actually the download is insecure that are affected."

Right, like when a pdf is linked in a slashdot summary and happens to be from an http source.

Notification makes sense, blocking does not. Anywhere final authority doesn't rest with the user is a problem. It isn't unfair to consider Chrome itself malware given this attitude.

Re:

[AmiMoJo]

No, because when you link to another site it's a link, not mixed content. The PDF doesn't display on slashdot.org, you have to navigate away from Slashdot to view it. It would only be an issue when the PDF is being displayed in an iFrame or something.

Re:

[Shaitan]

I haven't gone to extremes like RTFA but this specifically indicates downloads and while technically all content is a download in a literal sense the jargon typically references a file download for offline/external usage of some sort like a pdf, torrent, zip, etc.

Mixed content of the sort you mention wouldn't make much sense because you already get an alert when a secure site downloads insecure content. So the initial change wouldn't be a change if that is what they are referring to.

Re:this is crazy

[gweihir]

Internet best practice: Do not use Chrome....

Net Nanny?

[bobstreo]

Next they'll start blocking torrent tracker info.

And then any site that makes unwanted comments about Google.

Re:Net Nanny?

[houstonbofh]

Next they'll start blocking torrent tracker info.

Naq gura nal fvgr gung znxrf hajnagrq pbzzragf nobhg Tbbtyr.

Sorry... I can't make out that second line there...

This seems to be yet another way of control

[Skinkie]

Forcing HTTPS on end-users limiting the use of caching of content does hurt both providers of static content and end-users. Creating a business model for CDN services where smaller hosting companies just can't compete anymore. Certificates alone only solve the the end-to-end transmission and maybe give some false sense of security from man-in-the-middle approaches. Still even if you download a file, without things like digital signatures for example XMLdsig or a inline GPG signature, the content could still be not from the origin you expect it. I find the forcing HTTPS for static content especially full of hypocrisy by Google if I would introduce their data saver [chrome.com] service.

Re:

[munch117]

I was with you until you mentioned XMLdsig.

If XMLdsig is involved, then I expect the system it's a part of to be insecure. Not because of any known breach -- who knows, XMLdsig might even be theoretically secure, in the unlikely event that it's implemented correctly -- but because anyone choosing to do things the XMLdsig way is incompetent when it comes to security.

Signatures embedded within the data that it's signing, need I say more?

Re:

[Skinkie]

Xmldsig is used in several big Dutch authenication exchanges as part of the European mandatory eIDas framework and signs parts of the DOM tree. Would you trust DNSSEC better?

Re:

[munch117]

You speak as though XMLdsig is the only way to sign something. But there's PGP and S/MIME. Why, you could even roll your own simple file format with SHA and ECDSA and a little randomness mixed in, and it would probably still be better than XMLdsig, because there'd be no XML normalisation, no signature-within-the-signed, no partial document signing, and no downgrade attacks.

Xmldsig is [....] part of the European mandatory eIDas framework

Maybe the brits were right to leave.

Re:

[Skinkie]

If I would need to academically explain all technologies I use, I am not trusting on any work that has been researched before. Hence if inline signatures (or: paired content and signatures) are wrong. That would sound to me like someone is putting an argument against public-key cryptography. I am not willing to enter that discussion because it is commonly accepted that public-key cryptography works. Therefore I give an argument where it is applied against what legal frameworks, but please check the other ap

WTF? It's literally an ad populum and a false dich

[BAReFO0t]

That is exactly, why his arguments are invalid and childish nonsense!

Flamebait? Really??

My arguments could not have been more precise, clear an concise!

What moron got mod points again??

Do I really need to explain why it's an ad populum and a false dichotomy, because even the moderators are too stupid to see it?

Jeez, buch of morons in here... --.--

Really?

[BAReFO0t]

That is your response?

Sorry, you're literally not even making any arguments. So I got nothing that needs replying too.

Call us when you qualify for a reasonable discussion. And when you learned what "ad populum" and "false dichotomy" dven means.

Teenage mutant ninja trolls getting the mod points. Great job, Slashdot!

Re:

[scdeimos]

Signatures embedded within the data that it's signing, need I say more?

I'd normally agree with you, there shouldn't be any need to use HTTPS for large downloads if the content is signed. But that really only works if you also check the signature and confirm that it's the one you're expecting.

There's absolutely nothing stopping Alice from signing her own substitute content that she knows Bob will download from Charlie's HTTP web site over her MiTMd connection.

Re:

[munch117]

Sure, signing is good, but you don't need to do it with XMLdsig. There's S/MIME and PGP.

Re:

[AmiMoJo]

You can still create an insecure HTTP site if you really want. It's mixing HTTP and HTTPS that is the problem. There is no good way to warn the user that random parts of the page are insecure while the rest is okay.

Insecure caching or malware, take your choice. As we learned from Snowden and many other attacks over the years, if it's insecure it will be exploited, no exceptions.

Re:

[catprog]

Except it is the NSA tracing HTTP that is the end of the anonymous internet. HTTPS makes it harder for them to do so.

Gatekeeper

[Anonymous Coward]

Seems in order to 'protect' it's users, Google is more and more acting as a gate keeper. Not only can they decide what shows up in the search results - as in - Google more or less decides who exists on the net and who doesn't. Now it also decides what we can download. Youtube already decides what we can and cannot watch.

2030 - Google applies for virtual government status.

Re:

[Aighearach]

Youtube already decides what we can and cannot watch.

I use another video site too. No boogeyman jumps out to stop me.

Re:

[paralumina01]

They are going to block text files. Text files. What maliciousness can you do with a text file?

Re:

[bvimo]

Fahrenheit 451 wants to have a chat with you.

https I get! But what is a

[oldgraybeard]

secure file?

Just my 2 cents ;)

Niche software getting censored

[xack]

It’s already a problem when you want to download software for niche purposes and getting Windows and Chrome trying to block it as “not commonly downloaded” and this includes competing web browsers that are small and not paid off by Google. Making it so only “secure” websites can downloads can download will lull people into a false sense of security since anyone can be “secure” these days thanks to letsencrypt. Malware will just use botnets to make it look like it’s secure and commonly downloaded while legitimate software gets blocked.

Define insecure

[zkiwi34]

Well, they have, but really really badly.

But, I guess unless you keep flailing around coming up with rubbish ideas you are no longer âoeinnovative.â

Ok then pay my hardware upgrade bill to get ipmi

[Joe_Dragon]

Ok then pay my hardware upgrade bill to get systems with that nice ipmi HTML5 that can mount ISO.
Upgrade all my switches and routers to new ones with HTML5 config.
Give me an 5 year cert for my ldap / ad system.

Re:

[l0n3s0m3phr34k]

At my work, we have this problem too. We are still running a single 2008 "admin server" with older browsers, older Java, etc just because we still have older switches that the console is running in some unsigned Java applet, or the switch doesn't support TLS1.1/1.2, etc. We have been working on getting rid of all of them, but at 3-5K a pop they are considered a "capital expense" and must be budgeted and approved by higher-ups.

I wonder how much of this is controllable, say, by the Chrome ADMX GPO stuff.

Re:

[Joe_Dragon]

The old java and flash don't even run in Chrome any more. Firefox dropped old java.

Waterfox does run the older java.

Re:

[jenningsthecat]

Is there a browser that is NOT as strict out of the box? Chrome has already pissed me off from removing the https in the browser bar, as for YEARS we have told our users this is how to at least check if a site is using HTTPS or not.

I have no idea if what I'm thinking is correct, but I'll throw it out there anyway: perhaps Chromium browser is "not as strict". Also, it may be easier to configure it to show the entire URL, including the 'http(s)'. And because it's open source, even if it doesn't do what you want OOTB, it may be easy for a programmer with the appropriate experience to modify it.

It's been a long time since I've used Firefox - I switched to Pale Moon when they introduced the stupid Australis UI, and was glad I had done so w

Re:

[houstonbofh]

I would pay good money for a browser that does not bitch about self signed certs and runs older java. But the only one I have found is a VM of Ubuntu from 10 years ago.

So...

[xlsior]

...Just a false sense of security, then?

Since literally anyone can gets a certificate with zero verification (lets encrypt, anyone?), all this does is break things and add annoyance.

Re:

[phantomfive]

It prevents MITM, that's all.

No it doesn't.

[BAReFO0t]

Anybody at any CA in your browser's list of blindly trusted root CAs can play MITM.
That is a LOT of people. Even entire shady governments and corporations.

Oh, and depending on how you got your browser... OS... computer... :D ... But let's leave that for another Halloween bedtime story.
Let's just say, if you want a security existential crisis, look up the paper on dopant-level hardware trojans. :D

Re:

[phantomfive]

Because anyone can get a cert and make the address bar look exactly like it does right now to you.

How do you do that?

Re:

[tepples]

A sufficiently dedicated attacker can insert their hardware between your DNS or HTTP server and the Internet, hijack your DNS or your port 80, and obtain a certificate for your domain name from Let's Encrypt through its ACME endpoint.

Re:

[phantomfive]

That one would be tough to detect. They would have to be working with (or have infiltrated) AWS though, I guess.

Re:

[thegarbz]

There's a difference between telling something to an unknown person and shouting it to them across a crowded room.

I'm glad that I never switched to Chrome,

[maybe111]

even when it used to be a lot faster many years ago....

Re:

[thegarbz]

Why? Do you hate security so much that attempts in improving it make you glad you're not a part of it?

Re:

[zenasprime]

Web pages with out private or sensitive data do not need to be "secure". You don't need a secure connect to download a piece of software from a trusted source.

Re:

[Jahta]

Web pages with out private or sensitive data do not need to be "secure". You don't need a secure connect to download a piece of software from a trusted source.

But how do you know that you are really downloading from your trusted source? With things like DNS spoofing [wikipedia.org], plain http could be connecting you to a bogus version of your trusted source. https is not just about encryption; it also verifies that the server you are connected to (at say foo.com) has a valid X.509 [wikipedia.org] certificate for the foo.com domain.

Re:

[zenasprime]

> But how do you know that you are really downloading from your trusted source?

You could use a local host file for your trusted source. :p

> it also verifies that the server you are connected to (at say foo.com) has a valid X.509 [wikipedia.org] certificate for the foo.com domain.

Which requires that everyone now pay the certificate tax to be a trusted site. What if I don't want to pay that tax?

Re:

[Jahta]

> it also verifies that the server you are connected to (at say foo.com) has a valid X.509 [wikipedia.org] certificate for the foo.com domain.

Which requires that everyone now pay the certificate tax to be a trusted site. What if I don't want to pay that tax?

Well, it's not a "certificate tax"; you are paying a widely recognised (and trusted) certificate authority (CA) to issue you with a certificate, having verified that you are the legitimate owner of the domain. And, if you really don't want to pay for a certificate, these days there is always the Let's Encrypt [letsencrypt.org] option.

The thing about X.509 certificates is that they "just work" for anybody with web browser. You can (as I do) download software that is GPG signed [gnupg.org] by the author. But that is a level of complexity

Re:

[zenasprime]

>Well, it's not a "certificate tax"; you are paying a widely recognised (and trusted) certificate authority (CA) to issue you with a certificate, having verified that you are the legitimate owner of the domain. And, if you really don't want to pay for a certificate, these days there is always the Let's Encrypt [letsencrypt.org] option.

Sounds like a tax to me. People don't need a CA to verify that my static website is authentic. That's called overkill.

Likewise, I don't need Google or any other browser dev

The internet just seems to get

[oldgraybeard]

more and more like a Playskool product for toddlers.
Makes me think I should load up Tor and check out the Dark Web where all the media keeps saying the criminals hang out and see what it is like.

I can still recall the first time I dialed up Delphi and got on Internet and IRC. The unknown, the thrill at the command prompt. I was on the Internet so where will this take me.

Just my 2 cents ;)

Re:

[oldgraybeard]

A self employed one ;) been a self employed contract programmer for over 30 years.
The billable hours at the top of the job book always come first ;) in front of what I want to do.
One of Life's little realities ;) keeping the bills paid.

cost of https?

[david.emery]

The problem I see here is the cost for certificates for non-commercial websites to support https.

What's a source for free HTTPS PKI certificates?

Re:cost of https?

[truthful cynic]

Use EFF's Let's Encrypt (ie Certbot). It's free (though it requires a setup on the target machine). Works great once you have it properly installed.

Re:

[caseih]

I was pretty excited about it until I found it the certificates are just valid for one year.

Re: cost of https?

[spongman]

Theyâ(TM)re only valid for 3 months. Itâ(TM)s designed to be automated.

As a competent admin...

[BAReFO0t]

... you should find a way to automate that quickly. (I think there are tools for it.)

Re:

[caseih]

Yeah but for my little appliance devices it's just not worth the effort. Self signed are totally fine for this despite what chrome tells me.

Re:

[jythie]

There are, but there are holes, esp when it comes to appliances and some DNS providers.

Re:

[thegarbz]

Default install of let's encrypt on any system includes automated renewal.

You shouldn't be concerned. No one else using them are.

Re: cost of https?

[spongman]

There are ways to use letsencrypt without affecting the target machine. I have used the route53 me god successfully, but there are others available.

Having to buy a domain name for your home LAN

[tepples]

Using Let's Encrypt or any other public CA requires first buying a domain name. This is fine for websites on the Internet, not so much for appliances on private home LANs. What is the fully-qualified domain name of the router, printer, or NAS box on your LAN?

Re:

[ElectronicSpider]

192.x.x.0

Re:

[WallyL]

SANs that are for IP addresses are a thing. Dunno about CN of the cert itself, though.

Chrome

[oldgraybeard]

is such a PITA
Every time I am forced to use it I just go dam! this crap sucks!

Just my 2 cents ;)

Cannot you already prohibit mixed content?

[Retired ICS]

Cannot one already prohibit mixed content? If not, then why not? Every browser since, oh, I don't know, the first one to support HTTPS has had a switch to enable or disable mixed content. Why is Chrome so far (multiple decades) behind the times? Clearly Chrome is a badly designed piece of shit. Glad I do not permit it to infest any computer I use.

Security theater.

[BAReFO0t]

Given past experiences with CAs, I wouldn't trust CA-signed TLS connections one bit more than unencrypted connections.

There is no way around getting to actually know the person (and his software) you are trusting with your computer.

Trusting some unknown third party blindly, to declare another fourth party trustworthy, is insanity. Won't make much of a difference, except narrowing down access to a very specific set of assholes with more power over you.

Re:

[thegarbz]

So your of the opinion that telling a secret to a stranger and shouting a secret to a stranger across a crowded room have the same security implications?

Another ignorant post brought to you by BAReFO0t

No interest in https

[DogDude]

I have no interest in hosting my personal sites in https. I am using the web as it was originally intended to be: a way to disseminate information. Nothing I'm doing is private in any way, so I have no use for https. So, fuck Chrome and fuck Google.

Re:

[jythie]

Since this only applies to HTTPS sites linking to non-HTTPS downloads, it would not impact your use case.

Re:

[DogDude]

Oh, well, that's reasonable, then, I guess.

Re:

[tepples]

I am using the web as it was originally intended to be: a way to disseminate information. Nothing I'm doing is private in any way

Until an ISP injects advertising between your personal site and its viewers. Comcast, for example, has been caught doing this. Perhaps what we're missing is a signing-only cipher suite for HTTPS.

Re:

[kingbilly]

This is the way. While I will agree with DogDude that Google is being a bit too pushy if they don't let a browser user ultimately decide, I can no longer trust their opinion on security if their reasoning is "I have nothing to hide, therefore I don't need to support HTTPS".

Ideally, DogDude's website would support both http and https. For those of us visiting at a coffee shop who don't want Comcast to inject ads, or for someone else to inject other crap, we would have the option of loading HTTPS. Additiona

Re:

[thegarbz]

It's not up to you to decide if the person reading your content may be persecuted for reading it. That's entitle up to those two parties.

Why not give them the tools to protect themselves? It's not a question of interest nor one of the purpose of the internet, just a question of of pure misguided laziness.

False sense of security.

[Fly Swatter]

Just because the connection was secure doesn't mean what was on the other end was, or ever had good intentions to your own security.

This is just getting ridiculous. Perhaps we need a second internet for the participants that need a rubber room.

Re:

[kingbilly]

Yes, they should narrow the language (insecure, secure) and icons (padlock) to represent encryption/privacy rather than overall security. Considering how loudly they like to toot their horn about making the web safer for users, the very first launch of the browser should have a quick security overview? They could explain the indicator symbols and terminology, and remind people that whispering to a Nigerian prince doesn't make it more secure than yelling in a crowded room to a Nigerian prince. But with a bet

What does this mean for my simple http website?

[russbutton]

I manage a number of websites, all running 1990's style straight hand written html code, in support of my band, my wife's string quartet and a couple of other things. It's all simple html code and the sites serve quite well. I run it out of an AWS S3 bucket. It's cheap and the sites load fast.

Is this going to break them or make them unusable? Am I going to HAVE to get off my butt and learn WordPress and migrate the sites?

Re:

[jythie]

For this change at least, it shouldn't mean anything. It looks like like they are just stopping people from downloading non-https files from pages that are otherwise https. So they are only blocking mismatches, not http in general.

This is about Google Drive, right?

[HumanEmulator]

The more Chrome fucks with your file downloads, the more of a "problem" Google Drive can step in and solve. And a lot of non-technical users are suddenly going have to move all piles of file downloads somewhere..

Total blocking is anti-user...

[Slugster]

With the last Android phone I bought a couple years back, on the very first web search I used it for, I found out that the default Android web browser only looks for Google results that have videos.
I was looking for a text representation of a basic food recipe, but only getting all kinds of bullshit amateur-youtube-cooking-show search results that were videos, trying to figure out what setting was wrong... and there was no wrong setting.
There was no setting to change?
Apparently that is what it was supp

great!

[sad_]

great, this will stop absolutely nothing bad from happening.