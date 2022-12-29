



As HTTPS becomes more common across the web, Google Chrome is preparing to launch a security option to block “unsafe” downloads over HTTP.

In the past, only privacy-conscious websites, such as banks, needed to be protected with HTTPS encryption, but these days, especially as more websites handle data on a daily basis, , has become the de facto default. Over the last few years, Google has added new protections to Chrome to encourage the use of HTTPS connections wherever possible.

Most notably, browsers now mark older HTTP websites as “unsafe” in the address bar. Chrome also by default blocks secure websites from using insecure web forms or offering insecure downloads. This combination of safe and unsafe elements is called “mixed content”.

Most recently, the company created a “Always use secure connection” toggle in Chrome’s security settings. When enabled, Chrome will attempt to “upgrade” to the HTTPS version of the website if you accidentally navigate to an insecure version. If a secure version is not available, you will see an on-screen warning asking if you want to continue.

According to a new code change and associated explanation, Google is extending that toggle to protect Chrome users from all potentially unsafe HTTP downloads. This goes beyond the existing mixed content download protection by also blocking downloads from connections associated with unsafe websites.

For example, if clicking an HTTPS download link redirects to an insecure HTTP server, followed by a final HTTPS connection, Google Chrome will block the download as insecure. Similarly, if you’re browsing a website that can only be accessed over HTTP, Chrome will block all downloads from that site.

That said, like other forms of Chrome that block unsafe websites and downloads, you can get around the block. As such, it’s a big warning to make sure you know what you’re doing, rather than truly blocking users from potentially insecure parts of the internet.

Initially, this new option to block insecure HTTP downloads will be locked behind a Chrome flag. However, it will be available later as part of the “Always use secure connection” toggle.

Block unsafe downloads

Enable blocking of insecure downloads. If a user tries to download a file directly over an insecure transport (such as HTTP) or through an insecure redirect, they will get a “Blocked” message.

#block-insecure-downloads

As this feature is in its early stages of development, it is unlikely to see more extensive testing until Chrome 111, which is scheduled for release in March 2023, and a full release is likely later in the year. I have.

