Slashdot Mirror
Google Chrome Wants To Block Some HTTP File Downloads (zdnet.com)
An anonymous reader writes: Google wants to block some file downloads carried out via HTTP on websites that use HTTPS. The plan is to block EXE, DMG, CRX, ZIP, GZIP, BZIP, TAR, RAR, and 7Z file downloads when the download is initiated via HTTP but the website URL shows HTTPS.
Google said it's currently not thinking of blocking all downloads started from HTTP sites, since the browser already warns users about a site's poor security via the "Not Secure" indicator in the URL bar. The idea is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol' HTTP.
Google said it's currently not thinking of blocking all downloads started from HTTP sites, since the browser already warns users about a site's poor security via the "Not Secure" indicator in the URL bar. The idea is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol' HTTP.
The Google Chrome engineer who posted this ask to the W3C mailing list ( https://lists.w3.org/Archives/... ) also made a social media poll, https://twitter.com/estark37/s...
Essentially, they're reinforcing their own echo-chamber effect to only listen to confirmations of their conceived notion of correctness rather than truly encouraging discourse on the matter. Her poll options are, "yes" and "yes" -- and several Twitter replies have been deleted.
Personally, it seems they are an engineer looking for a problem to solve to help justify their job... and that's just sad in itself.
Except Let's Encrypt doesn't work well for servers behind firewalls. You can coax out a manual cert via DNS but it sucks if your DNS doesn't have a dynamic update API or is only accessible via a special VPN network. And then Let's Encrypt certs are short-lived, so you end up repeating the process every 3 months.
The scenario you describe is precisely why we need DNSSEC DANE TLSA mode 3. Then we can all publicly run our own private CAs. Browsers would trust your root for your domains only and trust my root for my domains only. They would also be able to trust internal infrastructure behind firewalls signed with that root without ever having to install a single root CA cert. We would finally ditch public CAs at that point, including Let's Encrypt, and have real trust on both the Internet and Intranets.
Unfortunately, none of the major web browsers implement any part of DNSSEC DANE TLSA. At one point Mozilla even declared the relevant open bug/feature request as WONTFIX. If you read into the whole DANE TLSA debacle that's silently gone on for the past 8 years after the IETF finalized the specification, the TL;DR is that no one cares about implementing actual software security unless it makes a ton of money for someone.