HomesecurityGoogle is blocking mixed downloads and MiTM attacks

Google is blocking mixed downloads and MiTM attacks

mixed content

In April last year, h Google had contacted other manufacturers browsers in an effort to persuade them to step up security of users their, blocking mixed downloads.

Google's suggestion was to block browsers from downloading files HTTP. In particular, the exclusion will apply when downloading the file starts from one website HTTPS.

Now, Google has announced that it will apply this plan to Chrome browser, in the coming months.

Google says it blocks these types of downloads because they are a risk to the security and privacy of users. They could allow "Man-in-the-middle”(MiTM) attack.

“Files sent through mixed content can be transferred malicious programs from invaders they can acquire access in the banking of users, ”Google said.

What exactly will block Google;

According to a timetable published by Google, the changes will begin to apply to Chrome 83, which will be released in June. From there, any new version of Chrome will block "dangerous downloads".

However, Google will not block all HTTP downloads.

For example, the company will not block HTTP downloads coming from HTTP sites. The reason is that Chrome already warns users in this case. It informs them that the site they are visiting is not secure by pointing “Not Secure” at the URL bar.

Target is blocking unsafe downloads from sites that appear to be secure (HTTPS) but downloads are not (uploaded via HTTP).

According to Google, the presence of HTTPS at the site URL cheats them users and makes them think that it is also downloaded via HTTPS. But in some cases this is not the case.

Google wants these cases to stop.

The change won't suddenly happen with the new version of Chrome. Google has released a six-step process that will gradually block HTTP downloads from HTTPS sites:

  • Chrome 81 (March 2020): Chrome will display a warning about all downloads of mixed content.
  • Chrome 82 (April 2020): Chrome will warn for downloads of mixed executable files (eg .exe).
  • Chrome 83 (June 2020): Chrome will block mixed executable files and alert for mixed archives (.zip) and disk images (.iso).
  • Chrome 84 (August 2020): Chrome will block mixed executables archives, archives and disk images and will alert you to all other downloads of mixed content (except image, audio, video, and text).
  • Chrome 85 (September 2020): Chrome will alert downloads of mixed image, audio, video and text content and block all other downloads.
  • Chrome 86 (October 2020): Chrome will block all downloads of mixed content.

This is illustrated in the following figure:


However, Google said it understands that in some controlled conditions, like the intranets, mixed downloads aren't that risky. For these cases, there is a policy Google Chrome (InsecureContentAllowedForUrls) enabling HTTP downloads in controlled environments.

The managers sites will be able to check if their sites comply with this new policy through Google Chrome Canary. To do this, they need to enable the following Chrome flag:

chrome: // flags / # treat-unsafe-downloads-as-active-content