Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Wants To Block Some HTTP File Downloads (zdnet.com)

Posted by msmash on from the security-measures dept.

An anonymous reader writes: Google wants to block some file downloads carried out via HTTP on websites that use HTTPS. The plan is to block EXE, DMG, CRX, ZIP, GZIP, BZIP, TAR, RAR, and 7Z file downloads when the download is initiated via HTTP but the website URL shows HTTPS.

Google said it's currently not thinking of blocking all downloads started from HTTP sites, since the browser already warns users about a site's poor security via the "Not Secure" indicator in the URL bar. The idea is to block insecure downloads on sites that appear to be secure (loaded via HTTPS) but where the downloads take place via plain ol' HTTP.

4 of 207 comments (clear)

  1. UGh. by flippy · · Score: 5, Insightful

    Why oh why does Google think that they know better than everyone? Give a warning, sure, and then let the user decide. Just the same way it handles an HTTP page vs an HTTPS page.

    1. Re:UGh. by supremebob · · Score: 4, Insightful

      I wish that Google gave you the ability to suppress those warnings as well. I have a few internal development sites with invalid SSL certificates on them, which Google throws an obnoxious "YOUR CONNECTION IS NOT PRIVATE" warning every time I hit them.

      Congratulations, Google, you're training people to click on the "Proceed to x (unsafe)" link EVERY time they see that page as a muscle memory reaction, whether or not it's a real security issue or not.

  2. Mostly Pointless by EndlessNameless · · Score: 4, Insightful

    Most sites provide their file hashes over HTTPS. If I'm going to verify the file on my end anyway, there's no real reason for the site to waste CPU encrypting the entire ISO every time someone downloads it.

    Digital signatures and hash verification address the same security concerns with less impact.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  3. Google Echo Chamber in full effect by nadass · · Score: 5, Interesting

    The Google Chrome engineer who posted this ask to the W3C mailing list ( https://lists.w3.org/Archives/... ) also made a social media poll, https://twitter.com/estark37/s...

    Essentially, they're reinforcing their own echo-chamber effect to only listen to confirmations of their conceived notion of correctness rather than truly encouraging discourse on the matter. Her poll options are, "yes" and "yes" -- and several Twitter replies have been deleted.

    Personally, it seems they are an engineer looking for a problem to solve to help justify their job... and that's just sad in itself.