back to article Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this

Continuing to drop flame retardant on the dumpster fire that is web security, Google on Thursday said it will soon prevent Chrome users from downloading files over insecure, plain old, unencrypted HTTP. "All insecure downloads are bad for privacy and security," declared Joe DeBlasio, who works on the Chrome security team, in a …

  1. b0llchit Silver badge
    Alert

    The long game

    Finally, Chrome is on track to prevent al users from downloading any and all content from the network that has not been provided by Google itself. It took a while, but we're getting to the age of gInternet. Next up will be the browser for fInternet and the last browser for aInternet. The entire ecosystem divided by three firms, at last, as planned.

    I'd prefer that we just ban 80% of the users from access to the internet. By my guess, that would improve security by a much larger factor.

    1. jaywin

      Re: The long game

      > we're getting to the age of gInternet

      Sounds like something you need tonic for

      1. MachDiamond Silver badge

        Re: The long game

        "Sounds like something you need tonic for"

        Or 10cc of something pharmaceutical injected in your backside along with a knowing glance from the nurse.

        1. 1752

          Re: The long game

          I keep your picture upon the wall.

          It hides a nasty stain that's lying there.

          1. Anonymous Coward
            Anonymous Coward

            Re: The long game

            and if I remember the origin of the band name "10 CC", I doubt it's something your typical buxom nurse would be able to provide you with.

    2. Ogi
      Stop

      Re: The long game

      It is odd how little push back there is about this. It is like we are going back to the bad old days of IE, when one anti-competitive behemoth would implement non standard behaviour into its web browser, forcing others to either follow or risk breakage of the internet (Which, as said behemoth had majority market share, was too large to ignore).

      Perhaps Googles idea is a good one, perhaps not, but the right way to do it (IMO) would be to try to make it a standard. If everybody else agrees it is a good idea, it will quickly be ratified and adopted, if not, then changes proposed, until it is considered good (or unsalvageable, in which case it get rejected).

      Sure that may take longer, but getting a broad consensus is better than dictating direction (same reason we prefer democracy to dictatorships, even though things get done quicker in dictatorships).

    3. Mike 137 Silver badge

      Re: The long game

      It's actually much worse than that. By virtue of the need to "get on page one" of Goooooooogle, every web site is now developed according to the same goddawful standards dictated by guess who. For example:

      [1] the entire site map on every page, placed right at the top, causing anyone using a screen to text reader to have to listen to all that crap before they get to the (typically) couple of lines of text of interest at the bottom.

      [2] All images served by javascript (take note El Reg, and no it doesn't deserve capital letters) ensuring that anyone who browses securely (and thus can't be snooped on) can't see the pictures.

      [3] All links resolved by javascript, with their HTML anchors blocked by #, ensuring that the user can't browse without being snooped on.

      [4] entirely javascript-driven sites that don't render at all unless scripting is enabled, ensuring that the user can be snooped on (take note NCSC - as the national cyber security agency you should know better).

      [5] forcing all web sites that want a Gooooooogle ranking to go TLS even where it's utterly unnecessary in real terms (the outcome being proliferation of unverifiable self-signed certificates bought on the cheap).

      They'd like you to think that this is all in aid of User Xperience and Security, but in reality it's just a good way to corner the entire ecosystem. And they're being let get away with it.

      1. Anonymous Coward
        Anonymous Coward

        Re: The long game

        > unverifiable self-signed certificates bought on the cheap

        If they were self-signed you wouldn't need to buy them...

      2. jelabarre59 Silver badge

        Re: The long game

        [3] All links resolved by javascript, with their HTML anchors blocked by #, ensuring that the user can't browse without being snooped on.

        The other problem I've encountered with links calling javascript, is it means you can't open links in the background to be read later. Taleo would do a lot of that (but Taleo are general shitheads anyway)

    4. teknopaul Silver badge

      Re: The long game

      Google antitrust is coming they control serverside and client side and can do what they like and they abuse it. There is no security risk downloading a .txt or a .exe even if its replaced in transit, if you checksum the download after.

      All security is not https.

      Google like https because it stops spying by anyone but them.

      They like breaking change because its hits smaller competition harder than them.

      We need a level playing field in the www based market. Google want it as complicated as possible because they always win. They dont release the problem on the world until they have it solved on their servers and browsers. Somehow google on chrome always works.

      Google dont even use the web anymore. They run their own bespoke internet protocols, spdy/3 at last, check they dont answer to any standards bodies but every other company has to spend money to fix their latest "security" issue.

      Any one noticed tha we have spent 20 years downloading .txt files and so far the world kept turning.

      Is .exe getting hacked in transit a theoretical or practical problem?

      Its mostly theoretical, because you download .exe over htps with no better guarantees of its validity every day. Most .exe over http downloads are done on trusted networks.

      Os and browser and search is a dangerous vertical.

      I suspect a chromium fork for with lower/stable security would get significant market share as corps insit staff install it instead of internal IT taking a hit for these anti-competative practices that should have no effect on their use of valid www protocols internally.

      1. IGnatius T Foobar ! Bronze badge

        Re: The long game

        I suspect a chromium fork for with lower security would get significant market share

        It would, and it did. It's called "Microsoft Edge"

  2. Chewi
    Meh

    Not as disruptive as it sounds

    Although I couldn't think of any specific cases where this might cause me issues, I was initially still a bit worried that it would break something. But when I realised it only affects mixed content, that's not so bad at all. That already gets flagged up to some degree anyway.

    1. bombastic bob Silver badge
      Meh

      Re: Not as disruptive as it sounds

      if "Mixed Content" is the driving force behind this, it makes sense. Sort of.

      If this continues such that it affects *EMBEDDED* systems [which might be serving up http content to a chrome browser running in 'kiosk' mode and NOT be using https] then it's "game over" for using chromium in such systems.

      but it's just like "developers" [around which I can NOT put enough quote marks to convey my snark] to be CLUELESS to the impacts their *FEELY* decisions have... from 2D FLATTY to this latest thing.

      1. J27 Bronze badge

        Re: Not as disruptive as it sounds

        If you're building Chromium for an embedded system it doesn't matter what Google allows because you can enable whatever you want.

      2. John Brown (no body) Silver badge

        Re: Not as disruptive as it sounds

        "If this continues such that it affects *EMBEDDED* systems [which might be serving up http content to a chrome browser running in 'kiosk' mode and NOT be using https] then it's "game over" for using chromium in such systems."

        I predict that school IT support and admins becoming very, very busy dealing with reports for both actual educational sites as well as many other sites used by the students for research and homework being block by Chrome. Many schools distribute Chromebooks to all students and have based their whole educational "experience" around it.

        1. bobsmith2016

          Re: Not as disruptive as it sounds

          As a former school it tech, I don't think the 'giving an iPad /chrome book to every student' is that common. Because of the expense, and the fact that young people are careless (break shit) and that parents of poorer kids can be tempted to sell them just for the cash.

          Bigger risk is if it breaks a teacher's commonly used website resources. Teachers are not always the most technology savvy. And most schools don't have a technical person on site, especially primaries. So if a website stops working for a teacher, and they can't work out the way around, it can leave teachers and pupils in a poorer position.

          1. Alistair Silver badge
            Windows

            Re: Not as disruptive as it sounds

            @bobsmith2016:

            Come on over to Ontario. Where lenovo and google basically paid the bill.

            1. John Brown (no body) Silver badge

              Re: Not as disruptive as it sounds

              And I mentioned because here in the UK there are quite a few schools giving out Chromebooks or iPads to pupils. Glasgow are currently roiling out about 50,000 iPads. Another part of Scotland did similar with Chromebooks a couple of years ago. I've seen a few areas of England do the same, certainly a couple of academy trusts. I'm not sure how common it is, but it happens and I'm sure they get good educational discounts.

              1. Anonymous Coward
                Anonymous Coward

                Re: Not as disruptive as it sounds

                Schools I worked for in Scotland were rolling out laptops to students back in 2007, it's fairly well embedded in some council areas. At the time it was Windows and not Chromebooks though, likely have changed to iPads..

              2. Spanners Silver badge
                Childcatcher

                Re: Not as disruptive as it sounds

                Glasgow are currently roiling out about 50,000 iPads.

                If they gave away Chromebooks, they could probably giove away 100,000 of them. This would have the added bonus of not funding Apple lawyers,

          2. jelabarre59 Silver badge

            Re: Not as disruptive as it sounds

            I'm not so sure the expense ends up being as bad as you thuink. Considering they can replace expensive, one-use CommonCore-mandated textbooks, and can be readily used for 3-4 years. Add in the other consumables the Chromebooks can replace, they might end up being a cheaper solution. Just forget for the moment they come from the GoogleHydra, and just think of them as portable terminals.

      3. Bronek Kozicki Silver badge

        Re: Not as disruptive as it sounds

        "Consistently insecure content – files served via HTTP from HTTP websites – are not affected by this change (users will still see the "Not Secure" omnibox badge in that case)"

        ... that is, so if your server (embedded or not) is not serving HTTPS and only plain HTTP, then there is no impact.

        IMO this will have the largest impact on corporates which put SSL accelerators before their CMS, but skimp on the same security for the static content. It is an infuriating habit and I will be glad to see it gone.

    2. NATTtrash Silver badge

      Re: Not as disruptive as it sounds

      Wondering how this would affect the users of self hosted "clouds" (e.g. ownCloud, NextCloud)...

      Although, yes, I would agree immediately that a non-HTTPS "cloud" install would be questionable to begin with...

    3. Roland6 Silver badge

      Re: Not as disruptive as it sounds

      But when I realised it only affects mixed content, that's not so bad at all.

      But the intention isn't to just affect "mixed content"...

      Reading the linked Google articles, I would be relatively happy if it was just about "mixed content", so that all the ad's, scripts and other stuff webpages download (to the browsers cache) just to be displayed, had to come across https sessions because in the main today these get filtered out by AdBlocker/uBlock et al. The problems arise when Google say they will also block content I want, which seems to imply that if I explicitly click on some element that permits me to download an iso, zip, doc, xls, pdf etc. (to my preferred download location) Chrome will by default prevent/block it.

  3. Anonymous Coward
    Anonymous Coward

    Annoying tho

    What gives google the right to make this decision?

    If I want to download something from an http site then thats my choice and the consequences would be largely if not entirely mine to deall with.

    1. The Man Who Fell To Earth Silver badge
      WTF?

      Re: Annoying tho

      Does someone have a gun to your head saying "Use Chrome or I'll pull the trigger."?

      1. bombastic bob Silver badge
        Meh

        Re: Annoying tho

        at some point it might become the *ONLY* browser, if things keep trending the way they are. This is especially true on *ANDROID*. Keep in mind, Chrome's now the back-end for Windows web browsing.

        1. Swiss Anton
          Boffin

          Re: Annoying tho

          telnet w.x.y.z 80 still works for me.

          1. boltar Silver badge

            Re: Annoying tho

            Have fun downloading binary files using telnet. Let us know how it goes.

        2. RyokuMas Silver badge
          Stop

          Re: Annoying tho

          "some point it might become the *ONLY* browser"

          More importantly, let's keep in mind that some 75-plus percent of websites use Google Analytics.

          How long before any pages that allow download over HTTP (so long as you're not using Chrome) suddenly start dropping off search results?

        3. baud Bronze badge

          Re: Annoying tho

          I don't know about you, but Firefox is still running on my Android (non-rooted) smartphone

        4. Anonymous Coward
          Anonymous Coward

          Re: Annoying tho

          "Chrome's now the back-end for Windows web browsing"

          No, it's Chromium. Big difference.

      2. Anonymous Coward
        Anonymous Coward

        Re: Does someone have a gun to your head saying "Use Chrome or I'll pull the trigger."?

        ah yes, if you have nothing to hide, you have nothing to fear

        and you don't have to use online banking. Or use that "secure" browser or that "up-to-dated" android device. In fact, you don't even have to pay taxes, after all, nobody's forcing you to work, you can go without!

        1. Anonymous Coward
          Anonymous Coward

          Re: Does someone have a gun to your head saying "Use Chrome or I'll pull the trigger."?

          Is there some logic connecting your response to the rhetorical question that isn't just a figment of your imagination?

    2. vtcodger Silver badge

      Re: Annoying tho

      You could use a non-Chrome based browser -- at least this year and next and probably the year after that. However, there are fewer and fewer of those that actually work with today's (often needlessly) complex websites. I fear that in a few years we will be down to Chrome and Firefox. And a few years after that to just Chrome.

      A few decades ago, the fad d'jour was Continuous Improvement (Kaizen 改善,). We now seem to be well into the era of Continuous Deterioration.

      1. Joeyjoejojrshabado

        Re: Annoying tho

        You could use a non-Chrome browser, or you could develop one yourself if you're still not satisfied. Off you go.

        1. Anonymous Coward
          Anonymous Coward

          Re: Annoying tho

          That's as helpful as "if you don't like it, you can leave."

          1. Anonymous Coward
            Anonymous Coward

            Re: Annoying tho

            And why pray tell isn't this an option? What kinds of places CAN'T we walk away from?

            1. bombastic bob Silver badge
              Meh

              Re: Annoying tho

              This argument ONLY works when there is TRUE competition on a LEVEL playing field.

              Otherwise, the monopolist *WINS*.

            2. doublelayer Silver badge

              Re: Annoying tho

              "What kinds of places CAN'T we walk away from?"

              Places that don't have an alternative but you need them. Places whose assistance you need to continue living (E.G. employment unless independently wealthy). Places with people who tell you you can't leave, E.G. prisons. In addition, there are places you might want to leave, and technically you can leave, but you won't because it's a bad idea. It's often not a good enough option, and it's not one here.

              The original idea was "write your own browser". That's not tenable. It's quite obviously not tenable. A browser needs lots of components to work with most of the sites out there, and a single person isn't going to get a perfect implementation of all those things. A skilled person might be able to replicate a basic browser, but they could just use an old one. If the situation arises where the old ones are no longer functioning and not being developed, it will not be feasible for a person to fix that problem themselves. For that reason, the original suggestion was a bad one.

            3. TimMaher Bronze badge
              Facepalm

              Re: Annoying tho

              Amazing!

              I’m the first person to mention Brexit in the context of this comment!

      2. JohnFen Silver badge

        Re: Annoying tho

        > I fear that in a few years we will be down to Chrome and Firefox. And a few years after that to just Chrome.

        Indeed. Already, large portions of the web are unusable unless you're willing to enable JS (and thus expose yourself to spying). Those sites are unavailable to me already.

        Sites that only work with Chrome or Firefox are equally unavailable to me. If there are no sites left that can work with other browsers, then the web becomes nonexistent to me entirely.

        I do completely expect that this will happen in my lifetime. It's too bad. It was a good run while it lasted.

        1. bombastic bob Silver badge
          Thumb Up

          Re: Annoying tho

          "If there are no sites left that can work with other browsers, then the web becomes nonexistent to me entirely."

          Good summary.

      3. Elledan Bronze badge

        Re: Annoying tho

        There's still Pale Moon, which is pretty much a slimmed down version of classic Firefox, with an updated rendering engine, XUL-based extensions and NPAPI plugin support. I use this as my main browser for years now.

        Basilisk is also by the Pale Moon developers, based on a newer Firefox codebase. It supports DRM and acts as a testing ground for new features in Pale Moon. I use this as my secondary browser, for watching Netflix and for things that require a separate Google account.

        WaterFox is another Firefox-derived browser that has kept all of the classic features, though I haven't used it myself yet. It appears to be similar in scope to Basilisk, however.

        1. ds6

          Re: Annoying tho

          I still refuse to use Pale Moon for the whole petulant children incident, and WaterFox phones home just as bad as mainline does. And even if I hate that Mozilla killed off XUL and Jetpack, there aren't a whole lot of reasons for me to go back, since everything I need has either been ported or its functionality recreated; there's also no denying that Quantum is leagues less heavy and significantly faster than old Firefox/Pale Moon.

          IceCat and Ungoogled Chromium work just fine for me at this point.

  4. Anonymous Coward
    Anonymous Coward

    In the same way all privacy has been removed they slowly move to take piracy. Now before people get the whole you should pay for it hats on think about academic and research PDF's that are exploited by some companies. There are probably other examples that don't spring to mind straight away but I'm not talking about downloading Taylor Swift MP3's that's for sure.

    1. This post has been deleted by its author

  5. martinusher Silver badge

    Doesn't make any sense

    In real life -- 'ix' operating systems -- the file extension is just part of the filename, its only Windows that thinks file extensions are relevant to a file's properties. (Its an obvious fact but obviously not well known because my workplace bans the sending and receiving of ZIP files so you have to rename them to send them outside the building). To add insult to injury Windows has been in the habit of taking action on a file -- typically executing it -- based on the name and/or extension so what should be just plain old data (until its told to be something else) suddenly becomes malicious content.

    I'd have thought that Google of all companies should know this. Maybe the motivation isn't what they say it is but rather another step to restrict users to a walled garden?

    1. Steve Graham

      Re: Doesn't make any sense

      I thought this as well. Their "staged" plan doesn't make any sense: first we will block ".exe" files, then we will block ".zip" files, etc.

      But, actually, by the end of the year, file name extensions become irrelevant (we're told) so non-Windows platforms shoud be equally protected.

      1. Phil O'Sophical Silver badge

        Re: Doesn't make any sense

        Doesn't matter what I rename a .zip file to, my company's web & mail filters still figure it . As they should.

        1. Charles 9 Silver badge

          Re: Doesn't make any sense

          Well then, Open Document and OOXML files are going to trip it up, because guess what they are at their most basic level? Magic Number scanners are going to get tripped up by the increasing use of ZIP as a basic container format.

          1. Phil O'Sophical Silver badge

            Re: Doesn't make any sense

            Oh, the filters don't blindly block ZIP files. They work out that an attachment or download is a ZIP file (no matter what the extension) and then they look inside to see if it contains any 'forbidden' formats. .odp is fine.

            1. Uncle Slacky Silver badge

              Re: Doesn't make any sense

              uuencode/decode is about to make a comeback!

            2. Anonymous Coward
              Anonymous Coward

              Re: they look inside to see if it contains any 'forbidden' formats

              How do they deal with encrypted .ZIP files ?

            3. Charles 9 Silver badge

              Re: Doesn't make any sense

              How recursive is it, because now you can be talking about ZIPs IN ZIPs?

    2. Charles 9 Silver badge

      Re: Doesn't make any sense

      "(Its an obvious fact but obviously not well known because my workplace bans the sending and receiving of ZIP files so you have to rename them to send them outside the building)"

      Just be glad your firewall doesn't do magic number scanning to check for trick files, then, because it'll get tripped up by the fact a lot of modern formats are actually containers based on (guess what?) ZIPs. The Magic Number trick isn't as useful as it once was because of this.

    3. bombastic bob Silver badge
      Unhappy

      Re: Doesn't make any sense

      "Windows has been in the habit of taking action on a file -- typically executing it -- based on the name and/or extension"

      This is mostly a two-sided problem. On the one side, file extensions are used to identify files of a particular type by applications that trust the content to match the extensions. *THEN* they CLUELESSLY pass the thing on to 'ShellExecuteEx()' or similar functions that actually scan the header to determine what to do with it. So an executable file renamed "harmless.zip" gets passed to 'ShellExecuteEx()' as-is with default parameters and it RUNS AS AN EXECUTABLE (rather than opening the program that is supposed to view ZIP files) and *VOILA* your computer is spamming others, logging your keystrokes, and cranking out blockchains!!!

      Well, you get the idea.

      1. boltar Silver badge

        Re: Doesn't make any sense

        Why are applications passing ANY files to an OS system API UNLESS they are executables? What business does the OS have dealing with zips or pdfs etc? Another fuckwitted "design" decision by MS. The application should have to exec the relevant support program itself as per *nix.

  6. No Quarter
    Unhappy

    IP Cam

    That's buggered my perfectly good 8 year old IP cam then.

    1. Anonymous Coward
      Anonymous Coward

      Re: IP Cam

      I'm sure a nice new Nest camera will work fine

  7. Version 1.0 Silver badge

    It's not going to fix much

    So users will still be able to be prompted to download .img files and open them - it must be safe, all the best malware is available via HTTPS.

    1. Yes Me Silver badge

      Re: It's not going to fix much

      Yes, that is the big elephant in the room: https doesn't make the site or the user safe, except safe against passive content surveillance by third parties. You can download malware (or upload it) in perfect privacy.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's not going to fix much

      "It's just a picture, nothing harmful"

  8. Anonymous Coward
    Anonymous Coward

    Release 100....

    They are going to start holding your dick when you go for a piss. Just to make sure. I think that this is just going a bit too far.

    1. Anonymous Coward
      Anonymous Coward

      Re: Release 100....

      If you have your dick out in front of Chrome I hardly think you're going for a piss.

      1. Anonymous Coward
        Anonymous Coward

        Re: Release 100....

        Oh no, google wants to know everything and all your intimate searches. They want to help you for your own benefit, truly altruistic (I say this with my hand firmly on ... you get the picture and its not petty).

        1. bombastic bob Silver badge
          Coffee/keyboard

          Re: Release 100....

          thanks, for that (brain bleach please)

        2. Anonymous Coward
          Anonymous Coward

          Re: Release 100....

          Phew... I'm so glad that I don't use Chrome and hopefully never will have to expose myself to being raped in public by Google.

          This sort of move makes the old Apple 'walled garden' seem trivial by comparison.

          FUCK YOU GOOGLE. What I do on the internet is NOT yours to slurp. The same goes for Microsoft.

          1. Anonymous Coward
            Anonymous Coward

            Re: Release 100....

            I think that you might have confused the two business models. Apple fucks you up front with expensive hardware and fucks vendors 30% pretending to be acting in your best interest. Google gives it away for free then fucks you behind your back, by selling your data long and hard.

      2. spold Silver badge

        Re: Release 100....

        You have obviously not used a Japanese Smart-Toilet

        Be careful it may also have an IPee Camera

    2. Aussie Doc Bronze badge
      Trollface

      Re: Release 100....

      If that's what they are doing to you, you're holding it wrong.

  9. JohnFen Silver badge

    Serious overreach

    I'm not OK with this, but since I don't use Chrome anyway, that doesn't matter.

    This sounds like serious overreach on Google's part. Warning people is fine -- admirable, even -- but not allow insecure downloads at all? That's going a lot too far.

    1. Charles 9 Silver badge

      Re: Serious overreach

      "Warning people is fine -- "

      Until people IGNORE the warnings. Remember Click Fatigue?

      1. bombastic bob Silver badge
        Trollface

        Re: Serious overreach

        yes, the 'Windows Vista' ads for Mac - "Cancel or allow" "Cancel or allow" "Cancel or allow" [from the M.I.B. guy in dark glasses standing behind 'PC']

      2. JohnFen Silver badge

        Re: Serious overreach

        People ignoring warnings is not a problem the browser needs to take extreme actions to fix. At some point, everyone needs to be responsible for their own actions.

        1. Charles 9 Silver badge

          Re: Serious overreach

          No, you need to fix Stupid first because Stupid can take the rest of us with them.

    2. sabroni Silver badge

      Re: Serious overreach

      For those too outraged to read the whole article it says you can click on the address bar on the little security icon and enable unsafe downloads.

  10. Mage Silver badge
    Coat

    No

    It's arrogant and stupid.

    Sure have a warning.

    > "All insecure downloads are bad for privacy and security," declared Joe DeBlasio, who works on the Chrome security team<

    Says someone who works for the worst privacy thief on the Internet.

    Technically just viewing an HTTP site is an insecure download. If you aren't logging in and arn't purchasing, how is downloading a text file a big issue?

    Also I'd worry more about using a random public wifi point without a VPN to my home or office server to use the Internet as that WiFi point can do a Man in the Middle attack on HTTPS. Steal email and site login etc.

    What is Google up to with their obsessive campaign to close HTTP?

    1. Yes Me Silver badge

      Re: No

      "If you aren't logging in and arn't purchasing, how is downloading a text file a big issue?"

      If you are a Uighur in China, it can be a life-threatening issue.

      1. Anonymous Coward
        Anonymous Coward

        Re: No

        "If you are a Uighur in China, it can be a life-threatening issue."

        If you are a Uighur in China, merely using the Internet can be a life-threatening issue.

        1. TheIO

          Re: No

          Being an Uighur in China these days is a life-threatening issue.

  11. 41R
    FAIL

    If it's via toggle (like Safe Browsing), ok...but if not, than it's gonna be bye bye Google Chrome. We're too old for a nanny

  12. 41R
    FAIL

    If it's via toggle (like Safe Browsing), ok...but if not, then it's gonna be bye bye Google Chrome. We're too old for a nanny

  13. james_smith Silver badge

    So malware will be served via HTTPS sites using Let's Encrypt certificates. Nothing changes.

    1. NonSSL-Login

      Part of this is to stop MITM attacks.

      It's easy (using available frameworks) to MITM someone on a network and modify their HTTP downloads on the fly. So as they download an EXE, your MITM machine adds malware to the file and the unsuspecting user gets the modified version

      Same can be done with archives and ISO downloads.

      This makes it harder for someone on your network, ISP, NSA types (or criminals who have gained access somewhere/redirected traffic via BGP attacks) to intercept along the route and add their own code.

  14. StephenH

    So much for my home server

    I have an alfresco document server on a vmware win10 image at my office and a wd NAS at home for photos and videos- Both environments I trust enough not go to the hassle of setting up a ssl.

    In fact I don't even know how to go about setting one up for a 192.168.1.x ip without a domain name.

    1. Vincent Ballard
      Coat

      Re: So much for my home server

      Two options: either give it a name (I suspect from the description of the scenario that editing a couple of hosts files would suffice), or create a certificate with an IP address for the Common Name (which is perfectly well supported). The latter option probably requires you to set up your own CA, which if you haven't done it before might take a couple of hours of reading. It's actually not that hard with OpenSSL, unless you want to follow best practices which require specialised hardware.

    2. knelmes

      Re: So much for my home server

      If you have no https on it at all it won't be affected. Even if it was mixed content, you can enable 'insecure' downloads. It's all in the article.

  15. Lorribot

    Haha...oh they are serious

    Coming form a company that sees and records everything a user does this is 1st level hypocrisy.

    Google wants to restrict everyone else form knowing what they know so they sell that information for more money.

  16. RuffianXion

    Why would you?

    "I can't magic HTTPS into existence on a site I don't own if I'd like to link to a data file it hosts,"

    Why are you having anything to do with a site that doesn't use https in 2020? It's "free" (yeah I know they build it into the hosting price, but the hosts that aren't charging an arm and leg for for https as an addon are generally better than those that are anyway - Siteground >>> 123Reg ) from decent hosts FFS. There is absolutely no excuse whatsoever for any website not to have https.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why would you?

      There are sites that host large software distributions, and are busy enough they'd notice the CPU hit. It would also affect local caching - you don't want your companies link to be used to repeatedly download the same huge file 1000's of times.

      These files are all protected with cryptographic hashes.

      The fact you justify your argument by talking about some small site on a third party hosting platform speaks volumes.

    2. Mike007

      Re: Why would you?

      Yeah, fuck those open source projects using servers from multiple sponsors with things like DNS round robins...

      There is no excuse for potential sponsors to simply add a line to their crontab then give the project maintainers an IP address and forget about it. If a university really cared about letting people use their spare resources for free they would have a sysadmin configure per-project TLS certificates which have been provisioned through some complex system set up by project maintainers (given that letsencrypt etc only works if you have complete control over the hostname, the project in question would need to find their own solution for provisioning per-server certs and replacing certificates and have mirror servers use that, along side the per-project solution for every other project they donate bandwidth to). All potential sponsors should maintain and renew certificates and per-project server comfigurations and basically have staff dedicate hours of paid time to running the free services. The internet demands that people doing things to help the public suffer the consequences of their decision!

      I won't even get started on people who think they are allowed to run their own services without dedicated hostnames under their public domain name and unfiltered global access to the dedicated global IP etc... we all know that hosting things anywhere other than with a large commercial provider is something only terrorists and paedophiles do.

      I am currently trying to figure out how to get my WiFi controller to work properly from a VM hosted on a different network, so I can do that HTTPS thing with a free certificate, but for some reason my access points don't seem to be detected. This is weird and makes no sense, because when I tried a temporary test instance running on one of my computers on the local network it worked just fine... obviously that is not a solution because running things on your own network is not the 2020 way of doing things.

      1. Wellyboot Silver badge
        Boffin

        Re: Why would you?

        >>>how to get my WiFi controller to work properly from a VM hosted on a different network<<<

        Sounds like it's the DHCP option codes you'll need to set up.

    3. Rich 2 Silver badge

      Re: Why would you?

      The push for all websites to use https is all very well but isn’t this putting even more strain on the IP4 address shortage? One of the overhead of https is that every domain needs to be on a separate address.

      .... or is there some additional magic at work at hosting companies to get around this?

      1. mark l 2 Silver badge

        Re: Why would you?

        "The push for all websites to use https is all very well but isn’t this putting even more strain on the IP4 address shortage? One of the overhead of https is that every domain needs to be on a separate address."

        These days using SNI on TLS you can serve several HTTPS websites from one IP address. so the need for individual IPs per site is not a requirement anymore. Although some older browsers can't cope with these such as any version of IE prior to 11.

  17. DownUndaRob
    Facepalm

    Intranet

    Well that will mess up the corporate intranet.

  18. John Tserkezis

    Last time this happened, we had a client who was unable to download our driver software because his company firewall software prevented him from downloading an .exe file.

    After some renaming, compressing, and even password protecting the zip file, (and he couldn't get his IT guys to disable the "security") I got fed up with it all and snail-mailed a CD to him.

    Security my arse. I should start charging morons who think that wasting our time is "secure".

    1. aidanstevens

      Could have renamed to something common like .jpg or .pdf and asked the recipient to rename it back to .exe?

    2. Anonymous Coward
      Anonymous Coward

      Next time

      Next time, if it is within 1GB: send.firefox.com

      1. Anonymous Coward
        Anonymous Coward

        Re: Next time

        And if it is over, PKZip & 7-Zip still support the creation of split volumes.

  19. Anonymous Coward
    Anonymous Coward

    Fine by me

    Let Google chainsaw their own head off if they want to.

    There's plenty more fish in the sea. There's plenty more fish in the sea.

    1. Joe W Silver badge

      Re: Fine by me

      Sure, there are oh so many other browser engines out there...

      1. bombastic bob Silver badge
        Unhappy

        Re: Fine by me

        if DOM and JS and CSS had NOT become so *OVERLY* *COMPLEX* this might actually be true...

      2. Doctor Syntax Silver badge

        Re: Fine by me

        Who needs a browser to download when you can curl up with wget what you need?

  20. aidanstevens

    Will this nitpicking bleed into other Chromium browsers like (my favourite) Opera?

    This is one of the most stupid ideas Google have ever come up with, and that's saying something.

  21. Andy Non Silver badge

    Question

    I use Firefox anyway but for those using Chrome, would this mean it will soon be impossible for them to download mp3 talks from sites, depending on whether those sites use http or https? Or does the restriction apply to https sites offering mp3 talks via http? (scratches head).

    1. Brewster's Angle Grinder Silver badge

      Re: Question

      If a https download page links to a http mp3, it will be blocked. Other than that, everything is fine.

      So a https download page must link to a https mp3. But a http download page can link to whatever it likes. All that's required is the encryption scheme of the download is at least as secure as that of the page it's being downloaded from.

      1. Jamie Jones Silver badge

        Re: Question

        So in other words, if I have no control of the site I'm linking to, I'll have to serve *my* site under http?

        Backfiring barnacles, google!

  22. Anonymous Coward
    Anonymous Coward

    Enterprise users

    Bad wording on Google's behalf I would say, it IS entirely possible to use Windows Policies on single computers and non-enterprise versions of Windows. Not that it is particularly user-friendly.

  23. steelpillow Silver badge
    FAIL

    Flashback

    This proprietary closing-off of the web has happened before. Back in the day, Microsoft deliberately wrote nonstandard behaviour into IE to force us into their ecology. Mozilla was one of several who helped us out of that by making more standards-compliant browsers also tolerant of much IE nonsense and with better user experience in other ways. Then there was Adobe's attempt to monopolize the web with Flash. The w3c had to up its game and produce open standards for media and fancy content, the Mozilla FireFox browser (with a little help from Opera) delivered them to us, and Adobe's restrictive and insecure monotony was slowly sidelined.

    Now, Mozilla are beginning to follow Google Chrome's path by moving FireFox ever closer to proprietary thinking (aka "monetizing" and "we know what you want better than you do").

    The open standards are still there, but we are going to need a new libre browser to restore openness to the actual user and slowly sideline proprietization once again. There are several contenders, but I wonder which one the more open-minded FireFox devs will turn their efforts to?

  24. STOP_FORTH Silver badge
    Trollface

    A good start

    When will they start banning ads?

  25. Henry Wertz 1 Gold badge

    Sounds OK

    When I saw the "chrome to block downloads from HTTP" I thought "Dumb, why take all this control away? Not everything is life-or-death and needs HTTPS."

    When I saw that it was mixed content (HTTP download links on HTTPS sites), well, that is fine. Having a secure page with insecure images, download links, etc. on it kind of defeats the purpose.

    1. Mike 16 Silver badge

      Re: Sounds OK

      "not everything is life or death", exactly.

      I already have to rename "peculiar" file extension to .txt just to get some browsers to download them at all (anything that isn't found in their list of extensions for special handling might as well not exist). So here is the scenario:

      Some enthusiast has set up an http site documenting everything you could ever want to know about some obscure computer from the 70s. (alternatively, a homebrew computer with exactly one instance. Yes, I know of such, and if you do too, please don't name it here lest it be SlashDotted, er, Registered)

      As an extra thrill, they actually have a restored instance of that rare beast serving that site.

      Now, completely aside from the question of how long there will be more than one browser, and how mere mortals can use Let's Encrypt without professional help (putting themselves at the mercy of that professional help forever), who gets to patch a webserver from the 90s to run on a system that runs http just fine, but has something like 512K of RAM and has not had an OS update since everybody was doing the Macarena

      Not another fan of this system finds this wondrous trove and make a page with links to all that lovely content (http links, of course), and publishes that page on their own "managed" site, using https because that's how it came. Bingo! "No old .txt for you!"

      If you try to do the obvious, and just serve that page of pointers on http, you have just become invisible to <major search engine> that will put you (f it shows you at all) a few hundred pages behind pages serving JS bitcoin miners. So the _third_ fan will never even know this cool site exists.

      Just a mix of opinions and thought-experiments from someone who would really like to know why slick corporate malware is OK, but amateur "created with ed" websites are clearly the devil's spawn.

      1. Charles 9 Silver badge

        Re: Sounds OK

        Blame the tragedy on humanity itself. People are Stupid, Stupid can't be trusted, and while You Can't Fix Stupid, Stupid can easily take the rest of us with them. If you want to solve your problem, solve this one first. My thought is that we need to evolve a better human first.

  26. Anonymous Coward
    Anonymous Coward

    Cookies are usually small text files, given ID tags that are stored on your computer's browser

    Google's declaration means they no longer consider them the cornerstone of their spying business.

  27. Anonymous Coward
    Anonymous Coward

    we need alternative internets

    independent of the big boys and governments' infrastructure and control.

    ...

    and then they will call it DARKNET and all other nasty names, because they want sheep, not wild goats :)

  28. Anonymous Coward
    Anonymous Coward

    Google Chrome and Fischer Price JV

    "My one and only web browser".

    Stay safe, here are 10 links you can access, but only 10.

    Press the green button for...

  29. Torchy

    Goodbye.

    Then it will be goodbye Google, it was nice knowing you but you turned into a big sister and outgrown your usefulness.

  30. Tom 64
    Coffee/keyboard

    Static?

    > "That said, a huge and important part of the web is essentially static content that's never going to be updated."

    I'm very glad, that's not the case, otherwise we'd still be looking at gif files created with a 16 colour EGA palette, and being forced to use shockwave flash*.

    * the horror.

  31. Dedobot

    That dude from MS who once upon the time said "linux is a cancer" may be had a point :-)

  32. Donn Bly

    Legacy Documents

    I wonder if the blocking will affect redirects? It would be trivial for me to throw together a proxy that ran under HTTP that would do a 301 redirect to the HTTP target. I could then use that as a shim if I have to link to any legacy files or documents.

    In fact, I could do it in less time than it takes The Register to release comments since I seem to have PO'd a couple of people there and my comments are now manually moderated.

  33. Camilla Smythe

    Move Fast...

    ... and break other people's things.

  34. Starace
    Flame

    Misguided paternalism

    So yet again a small self-selected group decides that they think something is a bad idea and they'll forcibly stop everyone doing it because everyone else is just too stupid to think for themselves.

    Centrally managed word/content filters next, tuned to a suitably Googly world view?

  35. HeIsNoOne
    Headmaster

    Thank you for using the expression "hoi polloi" without prepending "the".

    https://en.m.wikipedia.org/wiki/Hoi_polloi

    Sorry to interrupt, as you were...

  36. IGnatius T Foobar ! Bronze badge

    "for your protection"

    And for their next trick, they'll begin providing an ultra-secure HTTPS proxy that provides cloud-hosted web security ... along with a browser that cannot be configured to NOT use it. This is for your own protection, citizen. GoogleFaceBookAmazonTwitterMicrosoft operates the secure proxy as a public service to the online community, and would *never* think to use it to spy on users, suppress competition, meddle with elections, or provide unlimited government surveillance. But you have no secrets to hide ... right?

  37. Anonymous Coward
    Anonymous Coward

    Take of the Tin Foil

    HTTP should go the way of Telnet and standard FTP, ports better left closed for good reasons.

    1. Anonymous Coward
      Anonymous Coward

      Re: Take of the Tin Foil

      You have a very narrow and blinkered view of the internet. Go out and learn more before making silly statements like that.

      1. Charles 9 Silver badge

        Re: Take of the Tin Foil

        You ever heard of the Chinese Cannon. This us but one example. If our view is pretty narrow, maybe it's because we've already seen No Man's Land and need to maintain our sanities.

  38. arobertsintergage

    Download or external HTML page?

    Hopefully I am missing something.

    How does Chrome intend to differentiate between a download and an external website link?

    Take:

    http://www.mydomain.com/resource.cgi

    This could be a download, or a HTML webpage.

    Only once fetching the HEAD and examining the MimeType can we be sure.

    So Chrome must be either:

    1) Block all external URLs to HTTP (both downloads and non SSL websites)

    2) or making a HEAD request prior to blocking to determine whether it is a download or not

    3) or guessing based on file extension

    It sounds like for the early phases it will be purely (3), but eventually when they block all downloads, they will be doing (1) or (2).

    Also, if this is to reduce tracking, man-in-the-middle etc amongst other things, wouldn't doing (2) through a HEAD request be almost as bad as a GET request.

    The HEAD request would have to include the normal request, since access to the resource could vary depending on cookie / UserAgent etc and the MimeType could change.

    What have I missed?

  39. adam 40 Bronze badge

    It's the end of the World Wide Web (as we know it)

    I'm sure when Sir Tim Berners-Lee invented HTTP, he didn't envision some engineer in California doing this to the WWW.

    More browser fascism - what with this and HTTPS TLS < 1.2, I'll have to crank out the compiler, then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020