Google Chrome Wants To Block 'Insecure' Downloads, Starting With Executables

Google Chrome cannot download executable

The internet is not a safe place to be. This is why Google is ramping up its attempt to secure its Chrome users.

In a blog post revealed by Google, the company said that it would warn Chrome users about “insecure” downloads. This is considered Google's first move in a plan to block them entirely.

According to Joe DeBlasio of the Chrome security team, starting with Chrome 82 in April 2020, the browser would show a pop-up warning box to users who wish to downloaded mixed content executables from a secure website.

"Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files."

“Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers and eavesdroppers can read users’ insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome."

The file types that pose most risk according to Google, are executables.

For obvious reasons, executables are files that are used to perform various functions or operations on a computer. Unlike a data file, an executable file is created to perform indicated tasks according to encoded instructions. As opposed to a data file that must be parsed by a program to be meaningful.

Furthermore, because executables cannot be read because they are compiled.

Google wants to start focusing on preventing insecure downloads because Chrome at this time isn't giving any indication to users that their privacy and security are at risk, meaning that malicious ones can go unnoticed by Chrome users..

"In the future, we expect to further restrict insecure downloads in Chrome," added DeBlasio.

Mixed content
Example of a mixed content page, where the initial HTML request is made using HTTPS, but an image is loaded over HTTP. (Credit: Google)

This move follows a plan Google announced in a blog post back in 2019, when it said that it wanted to start blocking all insecure subresources on secure pages.

Also called mixed content, this happens when initial HTML is loaded over a secure HTTPS connection, but other resources (images, videos, extra HTML, CSS, or JavaScripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page.

HTTPS has numerous advantages over the insecure HTTP.

For example, it allows browsers to check that they are accessing the correct website, and haven't been redirected to a malicious site. When navigating to a bank's website for example, browsers authenticate the website, thus preventing an attacker from impersonating users' bank and stealing their login credentials.

HTTPS also allows browsers to detect if an attacker has changed any data the browsers receive.

Google's plan for releasing insecure download warnings on desktop platforms
Google's plan for releasing insecure download warnings on desktop platforms. (Credit: Google

In other words, HTTPS prevents an attacker from eavesdropping on browser's requests, tracking the websites visited, or stealing information sent or received.

Because users' data and information have become commodities, Google's move should ensure users' privacy and security, and protecting the web itself in overall.

Modern browsers display warnings about this type of content to indicate to the user that the page they are visiting contains insecure resources, with Google started to gradually move to blocking all mixed content by default since Chrome 79.

In the past several years, the web has made great progress in transitioning from the non-secure HTTP to the secure HTTPS protocol. Part of which, is when Google started to mandate HTTPS, and even give websites with HTTPS a ranking boost in its search engine results page.

As a result, according to Google, Chrome users spent more than 90% of their browsing time on HTTPS on all major platforms.

Google in warning users about insecure downloads should make sure that more and more websites have their HTTPS well-configured.

Google is gradually rolling out this feature to mitigate the worst risks quickly.

As for Chrome on mobile, DeBlasio said that the company is delaying the roll out because "mobile platforms have better native protection against malicious files", and this should also give developers "a head-start towards updating their sites before impacting mobile users."