Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Wants To Block Some HTTP File Downloads (zdnet.com)

Posted by msmash on from the security-measures dept.

An anonymous reader writes: Google wants to block some file downloads carried out via HTTP on websites that use HTTPS. The plan is to block EXE, DMG, CRX, ZIP, GZIP, BZIP, TAR, RAR, and 7Z file downloads when the download is initiated via HTTP but the website URL shows HTTPS.

Google said it's currently not thinking of blocking all downloads started from HTTP sites, since the browser already warns users about a site's poor security via the "Not Secure" indicator in the URL bar. The idea is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol' HTTP.

5 of 207 comments (clear)

  1. UGh. by flippy · · Score: 5, Insightful

    Why oh why does Google think that they know better than everyone? Give a warning, sure, and then let the user decide. Just the same way it handles an HTTP page vs an HTTPS page.

    1. Re:UGh. by supremebob · · Score: 4, Insightful

      I wish that Google gave you the ability to suppress those warnings as well. I have a few internal development sites with invalid SSL certificates on them, which Google throws an obnoxious "YOUR CONNECTION IS NOT PRIVATE" warning every time I hit them.

      Congratulations, Google, you're training people to click on the "Proceed to x (unsafe)" link EVERY time they see that page as a muscle memory reaction, whether or not it's a real security issue or not.

  2. Mostly Pointless by EndlessNameless · · Score: 4, Insightful

    Most sites provide their file hashes over HTTPS. If I'm going to verify the file on my end anyway, there's no real reason for the site to waste CPU encrypting the entire ISO every time someone downloads it.

    Digital signatures and hash verification address the same security concerns with less impact.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  3. Re:uhh,, by Chris+Mattern · · Score: 3, Insightful

    But it does mean that the executable file wasn't altered in transit.

    Catching executables in flight and altering them sound like a really hard way to do something unless your ISP is doing it to you (and if your ISP would do that to you, you have much bigger problems). It ranks way down on my list of worries, being massively overshadowed by the possibilities that the site itself has been hacked or is intentionally serving up malware--neither of which this does anything to help you cope with.

  4. Ask ten people what TLS is by raymorris · · Score: 1, Insightful

    Yeah, if you ask 10 random people what TLS is, you'll find out why Google security engineers think that they know security better than thr average consumer does. It's their. JOB to know security, so they SHOULD be much better informed than the average user. They shouldn't forget that fact when they make *defaults* and *warnings*.

    On the other hand, I've been an internet security professional for twenty years. I can reasonably decide to override the defaults in selected situations. I am not a typical user in that regard.