Chrome will begin blocking downloads that aren’t HTTPS-protected

Insecure downloads on secure sites are a big security gap.

NurPhoto/NurPhoto/Getty Images

Most websites nowadays are encrypted, meaning it’s harder for bad actors to intercept and tamper with your internet traffic. But even HTTPS-secure websites might download files from other websites that aren’t encrypted, and that leaves an opening for hackers. Google has announced that it will begin to address this in Chrome.

Warnings will transition to full blockages — Starting with the release of Chrome 82 in April, users visiting a secure website will see an alert when a file is being downloaded from an insecure source. In subsequent releases, Google will begin blocking these downloads altogether. The company is starting with executable file types like .exe and .apk, as these pose the most potential danger, and will progressively block more file types from insecure sources over time.

“This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see,” Google said in a blog post.

Even encrypted sites can have holes — You know what they say: No piece of software is ever 100 percent safe from vulnerabilities. Whenever you visit a website and see advertisement blocks, or YouTube videos, those are files that are being downloaded from a different website.

So even though the exact website you’re visiting might be HTTPS-encrypted, if a file is being pulled from a non-encrypted site, a hacker could penetrate that insecure site and replace the file with malicious software that puts you at risk. Or the traffic can be read while it's in transit, meaning if you were downloading a file containing personal information from an insecure site, a hacker could grab that.

Google’s own transparency report regarding HTTPS on the web indicates that most web pages desktop users load are encrypted, and desktop users spend two-thirds of their time on encrypted sites. HTTPS is less prevalent on sites accessed on mobile devices, but it’s still in the 90 percent range. So the issue of non-encrypted sources isn’t huge, but the damage caused when a hacker manages to grab personal information on the other hand is huge, so this move by Google is a good one that should help keep us all safe.