Punctuate

Blocking insecure content

Chrome addresses mixed content downloads

Chrome to block insecure downloads

Beginning with Chrome 82, which will be released sometime in April, Google have announced that Chrome will start warning users about downloading certain files from insecure sources in a bid to keep you safe from malicious actors. Rather like it has done with insecure websites, warnings will start to appear which you’ll need to take note of. That’s not to say you can ditch your malware or antivirus software, instead think of this as another layer of protection.

As of Chrome 83, active blocking will start for downloading certain file types, mainly the big executables, things like .exe files. With subsequent releases more file types will be blocked including .zip, with the eventual aim of blocking all non-secure content including images, audio and even text. By release 86, scheduled for October, the new blocking features will be complete. All content served non-securely will be blocked and this will become the new normal. Mobile Chrome will be getting the same treatment but one release later, release 83 is expected in June. Read more about the timings on the Google Security Blog.

We think its good that browsers are looking to become more involved with protecting users and bolstering defences, but control will always remain with the user. This means the burden of responsibility stays with you, so keep that antivirus software updated and keep scanning everything.

So what’s driven this change? Google is looking to address what is known as the ‘mixed content’ issue. That is when you visit a website and the initial portion of the content is served securely over HTTPS, but other parts of the page are served insecurely over HTTP.

Browsers already block many types of mixed content by default, but not all. In the present system using mixed content an attacker could tamper with a product image to mislead a buyer, or inject tracking cookies using the insecure portions of the page load. This means mixed content has the potential to degrade the both the security and the user experience of a website.

From a content producers perspective this will demand attention and action may be required. If you run a website, perhaps pulling in external content, maybe from a CDN or a third party, you need to know that any content that is served to you insecurely will no longer be displayed to your users. This will directly impact the user experience of your site.

You may even be even providing a content resource to others, in which case you need to ensure your content is served securely, else you’re going to be the one being blocked.

Google have said they expect to add further restrictions in the future so this will not be the last we see of this. With privacy, rightly, a white hot topic at present, other browser vendors will surely follow Google’s lead.

So now is a good time to ensure your website and content are only being served securely. If you’re unsure about how to do this or need a hand, drop us a line.

 


Previous article   Blog home   Next article