Tuesday, February 23, 06:46
Home security Google is blocking mixed downloads and MiTM attacks

Google is blocking mixed downloads and MiTM attacks

mixed content

In April last year, h Google had contacted other manufacturers browsers in an effort to persuade them to step up security of users their, blocking mixed downloads.

Google's suggestion was to block browsers from downloading files HTTP. In particular, the exclusion will apply when downloading the file starts from one website HTTPS.

Now, Google has announced that it will apply this plan to Chrome browser, in the coming months.

Google says it blocks these types of downloads because they are a risk to the security and privacy of users. They could allow "Man-in-the-middle”(MiTM) attack.

“Files sent through mixed content can be transferred malicious programs from invaders they can acquire access in the banking of users, ”Google said.

What exactly will block Google;

According to a timetable published by Google, the changes will begin to apply to Chrome 83, which will be released in June. From there, any new version of Chrome will block "dangerous downloads".

However, Google will not block all HTTP downloads.

For example, the company will not block HTTP downloads coming from HTTP sites. The reason is that Chrome already warns users in this case. It informs them that the site they are visiting is not secure by pointing “Not Secure” at the URL bar.

Target is blocking unsafe downloads from sites that appear to be secure (HTTPS) but downloads are not (uploaded via HTTP).

According to Google, the presence of HTTPS at the site URL cheats them users and makes them think that it is also downloaded via HTTPS. But in some cases this is not the case.

Google wants these cases to stop.

The change won't suddenly happen with the new version of Chrome. Google has released a six-step process that will gradually block HTTP downloads from HTTPS sites:

  • Chrome 81 (March 2020): Chrome will display a warning about all downloads of mixed content.
  • Chrome 82 (April 2020): Chrome will warn for downloads of mixed executable files (eg .exe).
  • Chrome 83 (June 2020): Chrome will block mixed executable files and alert for mixed archives (.zip) and disk images (.iso).
  • Chrome 84 (August 2020): Chrome will block mixed executables archives, archives and disk images and will alert you to all other downloads of mixed content (except image, audio, video, and text).
  • Chrome 85 (September 2020): Chrome will alert downloads of mixed image, audio, video and text content and block all other downloads.
  • Chrome 86 (October 2020): Chrome will block all downloads of mixed content.

This is illustrated in the following figure:

blocking-insecure-downloads

However, Google said it understands that in some controlled conditions, like the intranets, mixed downloads aren't that risky. For these cases, there is a policy Google Chrome (InsecureContentAllowedForUrls) enabling HTTP downloads in controlled environments.

The managers sites will be able to check if their sites comply with this new policy through Google Chrome Canary. To do this, they need to enable the following Chrome flag:

chrome: // flags / # treat-unsafe-downloads-as-active-content

LEAVE ANSWER

Please enter your comment!
Please enter your name here

LIVE NEWS

00:03:39

The top list of Xbox Game Pass games for 2021

https://www.youtube.com/watch?v=zJLiVBYFACw Μία από τις κορυφαίες πλατφόρμες με παιχνίδια για το Xbox και το PC σας σε προνομιακή...

The price of Bitcoin dropped by $ 10.000 in 24 hours

After weeks of steady gains, the price of Bitcoin plummeted. More than 10.000 ...

iPhone / iPad: How to delete old text messages automatically

By default, your iPhone and iPad store every iMessage text message and SMS you receive. As a result, you could ...

Tesla: The world's largest battery system is making progress

A new video taken by a drone shows that Tesla is making progress towards the completion of the Moss Landing Megapack project that ...

SonicWall is releasing an additional update for the SMA 100 vulnerability

SonicWall has released a second firmware update for a zero-day SMA-100 vulnerability known to be used in attacks and warns by saying ...

Chinese hackers have cloned a tool belonging to the NSA Equation Group

Chinese hackers "cloned" and used for years a zero-day exploit of Windows stolen by the NSA Equation Group, say the ...

Underwriters Laboratories (UL) was attacked by ransomware

UL LLC, known as Underwriters Laboratories, suffered a ransomware attack in which its servers were encrypted and forced to close ...

An image of Apple's third generation AirPods leaked

An image claiming to depict Apple's third-generation AirPods has leaked to the internet. The image was announced by 52audio. To her...

Kroger: Data breach exposes employee data

Giant supermarket chain Kroger suffered data breach after breaching a service used to transfer files securely ...

New Chrome firewall for iOS locks Incognito tabs with Face ID

Google Chrome for iOS gets a new privacy feature that allows users to lock open Incognito tabs and ...