Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Chrome Google Encryption

Google Chrome Will Soon Start Blocking Insecure Downloads (theverge.com) 139

"Google has revealed plans to initially warn Chrome users about 'insecure' downloads and eventually block them outright," reports The Verge. The warnings will begin in April: "Today we're announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files," Joe DeBlasio of the Chrome security team wrote in a blog post. "Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements."

Beginning with Chrome 82, due for release in April, Chrome will warn users if they're about to download mixed content executables from a secure website. Then, when version 83 is released, those executable downloads will be blocked and the warning will be applied to archive files. PDFs and .doc files will get the warning in Chrome 84, with audio, images, text, and video files displaying it by version 85. Finally, all mixed content downloads — a non-secure file coming from a secure site — will be blocked as of the release of Chrome 86. Right now, Google is estimating an October release for that build of the popular web browsing.

This discussion has been archived. No new comments can be posted.

Google Chrome Will Soon Start Blocking Insecure Downloads

Comments Filter:
  • Bad! (Score:5, Insightful)

    by fustakrakich ( 1673220 ) on Sunday February 16, 2020 @02:51PM (#59733578) Journal

    Let me decide what to download and which sites to enter!

    • Re:Bad! (Score:5, Insightful)

      by JustAnotherOldGuy ( 4145623 ) on Sunday February 16, 2020 @04:04PM (#59733790) Journal

      Let me decide what to download and which sites to enter!

      Exactly....as long as there's a way to override this then I'm okay with it, but stop holding my hand to the point where you won't fucking let go.

      Warn me, nag me, chastise me, blah blah blah, but if I really really want to do it, get the hell out of my way.

      • Re:Bad! (Score:4, Interesting)

        by fustakrakich ( 1673220 ) on Sunday February 16, 2020 @04:36PM (#59733890) Journal

        Google [maybe as a hired contractor] is weaponizing HTTPS to control what you see on the internet.

        • Re:Bad! (Score:5, Interesting)

          by Tim Hamilton ( 5961502 ) on Sunday February 16, 2020 @11:17PM (#59734578)
          What is the end game? Does Google or perhaps the US government have a way to gain a monopoly on certificates? I have wondered this for a while. When you have forced everyone to use TLS and no one's browser supports HTTP anymore and you have a monopoly on the certs, that means that you would pick and choose who gets to stay on the web.

          Is this feasible, or am I being paranoid?
          • by AmiMoJo ( 196126 )

            It's paranoia. If they did that it would be rejected by the rest of the world who want their own certificate authorities that they trust. For example the EU and China are not going to be okay with their certificate authorities, managing their local TLDs, being removed from browsers.

            It would be easier for the US just to create a Chinese style firewall for the entire country, which I think it also highly unlikely.

          • The end game is that the United States National Security Agency previously infiltrated Google to take user data without a warrant and going forward Google is changing the whole world so that nobody can take user data without a warrant.

            Compare that to Apple, who stores more customer private than any other company. Apple wanted to encrypt (end-to-end customer encrypte) this so that it could not access its customer's data. The FBI asked it not to do this and so Apple abandoned its plan.

        • by Hylandr ( 813770 )

          Google is already a weapon. A terrible weapon. *Grabs Tin Hat*

          Every credit card or bank login you have ever visited. Your security questions AND your two factor authentication.

          You have ever typed into the Google product.

          The economies of nations and it's peoples finances can be completely locked out. Go buy some gas? Get to work? Ship or buy food?

          The top bidder isn't for money but for market share. *Cough* China * Cough*

      • Re: Bad! (Score:4, Insightful)

        by Malays Boweman ( 5369355 ) on Sunday February 16, 2020 @04:39PM (#59733900)
        Time to switch to Firefox. I don't need a heartless multinational corporation to tell me what to do.
        • Re: (Score:2, Insightful)

          by apoc.famine ( 621563 )

          Lol, Firefox, which now, when you open a new tab, tells you that you have to restart the whole browser before doing anything else because it updated in the background?

          It's lovely when you have a bunch of shit open in other tabs that won't come back to the state you left it in if you reboot.

          • Not a problem in Linux where you control your upgrades. Just sayin... :)
            • Not a problem in Linux where you control your upgrades. Just sayin... :)

              Ummm, this happens on Linux too. It drives me bonkers, you literally can't get past it without doing the update.

              • If you install the browser with the package management system, it only upgrades with that package management system. And you totally control that. Yes, you can set it to auto update... But you can also not.
                • I wonder how many people who know little past some basic terminal commands would even think of doing anything like this, let alone know how to do it. :\

                • Yes, you can set it to auto update... But you can also not.

                  And most people don't change the default, which for Ubuntu is to turn on unattended-upgrades [debian.org]. I'm aware that Ubuntu is only one of many distributions of X11/Linux, but do more desktop Linux distributions have auto update on or off after installation?

                  • You can set Mint to ask permission for all updates. but Firefox will still sometimes ambush you and force you to update, often losing some screens that have any kind of in-process thing going like forms or deeply-scrolled pages.

          • I'm trying to remember when we got to the point where the vast majority became willing to just bend down and take it :\

              Heartless Multinational corporation: "We will abuse you and you will like it"

              Heartless World LLC: "We won't abuse you as much as HMnC but we will abuse you" :\

      • by GuB-42 ( 2483988 )

        I think the trick will be to copy the link and paste it in the address bar of a new tab.
        The same trick that is used to hide the referer, for example to bypass anti-hotlinking protections.

    • I would pay good money for a STFU browser that let me connect to any website, including self signed certs, without warning. And actually let me connect to my old printer without having to clock OK 1000 times on java.
    • Chrome has a lot of negative attributes (it's a resource hog for one) but their insistence on moderating my ability to use the web as I see fit has pretty much sealed the deal for me. Chrome is a heaping pile of garbage for anyone looking to do things on the web other then the corporately sanctioned activities.

  • this is crazy (Score:5, Insightful)

    by mister.woody ( 2712229 ) on Sunday February 16, 2020 @02:52PM (#59733580)
    I can accept a warning but this is too much. I hope it will be easy to disable such a feature. Otherwise it is just another form of censorship.
    • Comment removed based on user account deletion
    • Re:this is crazy (Score:4, Informative)

      by gweihir ( 88907 ) on Sunday February 16, 2020 @10:17PM (#59734528)

      Internet best practice: Do not use Chrome....

  • Next they'll start blocking torrent tracker info.

    And then any site that makes unwanted comments about Google.

  • by Skinkie ( 815924 ) on Sunday February 16, 2020 @02:59PM (#59733612) Homepage
    Forcing HTTPS on end-users limiting the use of caching of content does hurt both providers of static content and end-users. Creating a business model for CDN services where smaller hosting companies just can't compete anymore. Certificates alone only solve the the end-to-end transmission and maybe give some false sense of security from man-in-the-middle approaches. Still even if you download a file, without things like digital signatures for example XMLdsig or a inline GPG signature, the content could still be not from the origin you expect it. I find the forcing HTTPS for static content especially full of hypocrisy by Google if I would introduce their data saver [chrome.com] service.
    • I was with you until you mentioned XMLdsig.

      If XMLdsig is involved, then I expect the system it's a part of to be insecure. Not because of any known breach -- who knows, XMLdsig might even be theoretically secure, in the unlikely event that it's implemented correctly -- but because anyone choosing to do things the XMLdsig way is incompetent when it comes to security.

      Signatures embedded within the data that it's signing, need I say more?

      • by Skinkie ( 815924 )
        Xmldsig is used in several big Dutch authenication exchanges as part of the European mandatory eIDas framework and signs parts of the DOM tree. Would you trust DNSSEC better?
        • You speak as though XMLdsig is the only way to sign something. But there's PGP and S/MIME. Why, you could even roll your own simple file format with SHA and ECDSA and a little randomness mixed in, and it would probably still be better than XMLdsig, because there'd be no XML normalisation, no signature-within-the-signed, no partial document signing, and no downgrade attacks.

          Xmldsig is [....] part of the European mandatory eIDas framework

          Maybe the brits were right to leave.

      • Signatures embedded within the data that it's signing, need I say more?

        I'd normally agree with you, there shouldn't be any need to use HTTPS for large downloads if the content is signed. But that really only works if you also check the signature and confirm that it's the one you're expecting.

        There's absolutely nothing stopping Alice from signing her own substitute content that she knows Bob will download from Charlie's HTTP web site over her MiTMd connection.

    • by AmiMoJo ( 196126 )

      You can still create an insecure HTTP site if you really want. It's mixing HTTP and HTTPS that is the problem. There is no good way to warn the user that random parts of the page are insecure while the rest is okay.

      Insecure caching or malware, take your choice. As we learned from Snowden and many other attacks over the years, if it's insecure it will be exploited, no exceptions.

  • Gatekeeper (Score:2, Interesting)

    by Anonymous Coward

    Seems in order to 'protect' it's users, Google is more and more acting as a gate keeper. Not only can they decide what shows up in the search results - as in - Google more or less decides who exists on the net and who doesn't. Now it also decides what we can download. Youtube already decides what we can and cannot watch.

    2030 - Google applies for virtual government status.

  • by oldgraybeard ( 2939809 ) on Sunday February 16, 2020 @03:07PM (#59733632)
    secure file?

    Just my 2 cents ;)
  • by xack ( 5304745 ) on Sunday February 16, 2020 @03:08PM (#59733636)
    It’s already a problem when you want to download software for niche purposes and getting Windows and Chrome trying to block it as “not commonly downloaded” and this includes competing web browsers that are small and not paid off by Google. Making it so only “secure” websites can downloads can download will lull people into a false sense of security since anyone can be “secure” these days thanks to letsencrypt. Malware will just use botnets to make it look like it’s secure and commonly downloaded while legitimate software gets blocked.
  • Well, they have, but really really badly.

    But, I guess unless you keep flailing around coming up with rubbish ideas you are no longer âoeinnovative.â

  • Ok then pay my hardware upgrade bill to get systems with that nice ipmi HTML5 that can mount ISO.
    Upgrade all my switches and routers to new ones with HTML5 config.
    Give me an 5 year cert for my ldap / ad system.

    • At my work, we have this problem too. We are still running a single 2008 "admin server" with older browsers, older Java, etc just because we still have older switches that the console is running in some unsigned Java applet, or the switch doesn't support TLS1.1/1.2, etc. We have been working on getting rid of all of them, but at 3-5K a pop they are considered a "capital expense" and must be budgeted and approved by higher-ups.

      I wonder how much of this is controllable, say, by the Chrome ADMX GPO stuff.
      • The old java and flash don't even run in Chrome any more. Firefox dropped old java.

        Waterfox does run the older java.

      • Is there a browser that is NOT as strict out of the box? Chrome has already pissed me off from removing the https in the browser bar, as for YEARS we have told our users this is how to at least check if a site is using HTTPS or not.

        I have no idea if what I'm thinking is correct, but I'll throw it out there anyway: perhaps Chromium browser is "not as strict". Also, it may be easier to configure it to show the entire URL, including the 'http(s)'. And because it's open source, even if it doesn't do what you want OOTB, it may be easy for a programmer with the appropriate experience to modify it.

        It's been a long time since I've used Firefox - I switched to Pale Moon when they introduced the stupid Australis UI, and was glad I had done so w

      • I would pay good money for a browser that does not bitch about self signed certs and runs older java. But the only one I have found is a VM of Ubuntu from 10 years ago.
  • by xlsior ( 524145 ) on Sunday February 16, 2020 @03:13PM (#59733648)
    ...Just a false sense of security, then?

    Since literally anyone can gets a certificate with zero verification (lets encrypt, anyone?), all this does is break things and add annoyance.
    • It prevents MITM, that's all.
      • Anybody at any CA in your browser's list of blindly trusted root CAs can play MITM.
        That is a LOT of people. Even entire shady governments and corporations.

        Oh, and depending on how you got your browser... OS... computer... :D ... But let's leave that for another Halloween bedtime story.
        Let's just say, if you want a security existential crisis, look up the paper on dopant-level hardware trojans. :D

    • There's a difference between telling something to an unknown person and shouting it to them across a crowded room.

  • by maybe111 ( 4811467 ) on Sunday February 16, 2020 @03:17PM (#59733658)

    even when it used to be a lot faster many years ago....

    • Why? Do you hate security so much that attempts in improving it make you glad you're not a part of it?

      • Web pages with out private or sensitive data do not need to be "secure". You don't need a secure connect to download a piece of software from a trusted source.

        • by Jahta ( 1141213 )

          Web pages with out private or sensitive data do not need to be "secure". You don't need a secure connect to download a piece of software from a trusted source.

          But how do you know that you are really downloading from your trusted source? With things like DNS spoofing [wikipedia.org], plain http could be connecting you to a bogus version of your trusted source. https is not just about encryption; it also verifies that the server you are connected to (at say foo.com) has a valid X.509 [wikipedia.org] certificate for the foo.com domain.

          • > But how do you know that you are really downloading from your trusted source?

            You could use a local host file for your trusted source. :p

            > it also verifies that the server you are connected to (at say foo.com) has a valid X.509 [wikipedia.org] certificate for the foo.com domain.

            Which requires that everyone now pay the certificate tax to be a trusted site. What if I don't want to pay that tax?

            • by Jahta ( 1141213 )

              > it also verifies that the server you are connected to (at say foo.com) has a valid X.509 [wikipedia.org] certificate for the foo.com domain.

              Which requires that everyone now pay the certificate tax to be a trusted site. What if I don't want to pay that tax?

              Well, it's not a "certificate tax"; you are paying a widely recognised (and trusted) certificate authority (CA) to issue you with a certificate, having verified that you are the legitimate owner of the domain. And, if you really don't want to pay for a certificate, these days there is always the Let's Encrypt [letsencrypt.org] option.

              The thing about X.509 certificates is that they "just work" for anybody with web browser. You can (as I do) download software that is GPG signed [gnupg.org] by the author. But that is a level of complexity

              • >Well, it's not a "certificate tax"; you are paying a widely recognised (and trusted) certificate authority (CA) to issue you with a certificate, having verified that you are the legitimate owner of the domain. And, if you really don't want to pay for a certificate, these days there is always the Let's Encrypt [letsencrypt.org] option.

                Sounds like a tax to me. People don't need a CA to verify that my static website is authentic. That's called overkill.

                Likewise, I don't need Google or any other browser dev

  • more and more like a Playskool product for toddlers.
    Makes me think I should load up Tor and check out the Dark Web where all the media keeps saying the criminals hang out and see what it is like.

    I can still recall the first time I dialed up Delphi and got on Internet and IRC. The unknown, the thrill at the command prompt. I was on the Internet so where will this take me.

    Just my 2 cents ;)
  • The problem I see here is the cost for certificates for non-commercial websites to support https.

    What's a source for free HTTPS PKI certificates?

  • is such a PITA
    Every time I am forced to use it I just go dam! this crap sucks!

    Just my 2 cents ;)
  • Cannot one already prohibit mixed content? If not, then why not? Every browser since, oh, I don't know, the first one to support HTTPS has had a switch to enable or disable mixed content. Why is Chrome so far (multiple decades) behind the times? Clearly Chrome is a badly designed piece of shit. Glad I do not permit it to infest any computer I use.

  • by BAReFO0t ( 6240524 ) on Sunday February 16, 2020 @03:55PM (#59733754)

    Given past experiences with CAs, I wouldn't trust CA-signed TLS connections one bit more than unencrypted connections.

    There is no way around getting to actually know the person (and his software) you are trusting with your computer.

    Trusting some unknown third party blindly, to declare another fourth party trustworthy, is insanity. Won't make much of a difference, except narrowing down access to a very specific set of assholes with more power over you.

    • So your of the opinion that telling a secret to a stranger and shouting a secret to a stranger across a crowded room have the same security implications?

      Another ignorant post brought to you by BAReFO0t

  • by DogDude ( 805747 ) on Sunday February 16, 2020 @04:15PM (#59733816)
    I have no interest in hosting my personal sites in https. I am using the web as it was originally intended to be: a way to disseminate information. Nothing I'm doing is private in any way, so I have no use for https. So, fuck Chrome and fuck Google.
    • by jythie ( 914043 )
      Since this only applies to HTTPS sites linking to non-HTTPS downloads, it would not impact your use case.
    • by tepples ( 727027 )

      I am using the web as it was originally intended to be: a way to disseminate information. Nothing I'm doing is private in any way

      Until an ISP injects advertising between your personal site and its viewers. Comcast, for example, has been caught doing this. Perhaps what we're missing is a signing-only cipher suite for HTTPS.

      • This is the way. While I will agree with DogDude that Google is being a bit too pushy if they don't let a browser user ultimately decide, I can no longer trust their opinion on security if their reasoning is "I have nothing to hide, therefore I don't need to support HTTPS".

        Ideally, DogDude's website would support both http and https. For those of us visiting at a coffee shop who don't want Comcast to inject ads, or for someone else to inject other crap, we would have the option of loading HTTPS. Additiona
    • It's not up to you to decide if the person reading your content may be persecuted for reading it. That's entitle up to those two parties.

      Why not give them the tools to protect themselves? It's not a question of interest nor one of the purpose of the internet, just a question of of pure misguided laziness.

  • Just because the connection was secure doesn't mean what was on the other end was, or ever had good intentions to your own security.

    This is just getting ridiculous. Perhaps we need a second internet for the participants that need a rubber room.
    • Yes, they should narrow the language (insecure, secure) and icons (padlock) to represent encryption/privacy rather than overall security. Considering how loudly they like to toot their horn about making the web safer for users, the very first launch of the browser should have a quick security overview? They could explain the indicator symbols and terminology, and remind people that whispering to a Nigerian prince doesn't make it more secure than yelling in a crowded room to a Nigerian prince. But with a bet
  • I manage a number of websites, all running 1990's style straight hand written html code, in support of my band, my wife's string quartet and a couple of other things. It's all simple html code and the sites serve quite well. I run it out of an AWS S3 bucket. It's cheap and the sites load fast.

    Is this going to break them or make them unusable? Am I going to HAVE to get off my butt and learn WordPress and migrate the sites?

    • by jythie ( 914043 )
      For this change at least, it shouldn't mean anything. It looks like like they are just stopping people from downloading non-https files from pages that are otherwise https. So they are only blocking mismatches, not http in general.
  • The more Chrome fucks with your file downloads, the more of a "problem" Google Drive can step in and solve. And a lot of non-technical users are suddenly going have to move all piles of file downloads somewhere..
  • With the last Android phone I bought a couple years back, on the very first web search I used it for, I found out that the default Android web browser only looks for Google results that have videos.
    I was looking for a text representation of a basic food recipe, but only getting all kinds of bullshit amateur-youtube-cooking-show search results that were videos, trying to figure out what setting was wrong... and there was no wrong setting.
    There was no setting to change?
    Apparently that is what it was supp
  • by sad_ ( 7868 )

    great, this will stop absolutely nothing bad from happening.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...