Google has been waging a war on insecure web pages and while it has had some positive impact, the benefits of secure pages are thrown out the window when content from those pages is downloaded insecurely. Google calls these non-HTTPS downloads from HTTPS pages as “mixed content downloads” and, starting today, Chrome will warn users about such downloads but, starting June this year, it will also block files little by little in an attempt to get website developers to fix things before they break.
Although not really a panacea, web pages delivered via encrypted HTTPS at least carry an assurance that the page itself is secure. That assurance, however, doesn’t really cover assets on the page, including images and videos and especially ads and downloads. The latter can sometimes be downloaded via plain HTTP even if the page it comes from is already secure (HTTPS).
Google is setting its foot down on such downloads but it won’t be quitting cold turkey on insecure downloads in one go. It will be implementing a staggered system (which Google is pretty fond of), that will first warn users about such files before actually blocking Chrome from downloading them.
Starting with Chrome 82 in April 2020, Chrome will warn users about insecure downloads of executable files like .exe and .apk installers. It will then start warning and then blocking different categories of downloads until all of them are blocked by Chrome 86 in October this year. Android and iOS will have a month’s delay since those platforms already have safeguards for insecure downloads.
Some might consider Google’s approach heavy-handed but it could have the desired positive effect as well. When sites and downloads stop working on one of the world’s most used web browsers, site owners and developers are more likely to take action than let it pass.