Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this

Re: The long game

> we're getting to the age of gInternet

Sounds like something you need tonic for

Re: The long game

It's actually much worse than that. By virtue of the need to "get on page one" of Goooooooogle, every web site is now developed according to the same goddawful standards dictated by guess who. For example:

[1] the entire site map on every page, placed right at the top, causing anyone using a screen to text reader to have to listen to all that crap before they get to the (typically) couple of lines of text of interest at the bottom.

[2] All images served by javascript (take note El Reg, and no it doesn't deserve capital letters) ensuring that anyone who browses securely (and thus can't be snooped on) can't see the pictures.

[3] All links resolved by javascript, with their HTML anchors blocked by #, ensuring that the user can't browse without being snooped on.

[4] entirely javascript-driven sites that don't render at all unless scripting is enabled, ensuring that the user can be snooped on (take note NCSC - as the national cyber security agency you should know better).

[5] forcing all web sites that want a Gooooooogle ranking to go TLS even where it's utterly unnecessary in real terms (the outcome being proliferation of unverifiable self-signed certificates bought on the cheap).

They'd like you to think that this is all in aid of User Xperience and Security, but in reality it's just a good way to corner the entire ecosystem. And they're being let get away with it.

Re: The long game

Google antitrust is coming they control serverside and client side and can do what they like and they abuse it. There is no security risk downloading a .txt or a .exe even if its replaced in transit, if you checksum the download after.

All security is not https.

Google like https because it stops spying by anyone but them.

They like breaking change because its hits smaller competition harder than them.

We need a level playing field in the www based market. Google want it as complicated as possible because they always win. They dont release the problem on the world until they have it solved on their servers and browsers. Somehow google on chrome always works.

Google dont even use the web anymore. They run their own bespoke internet protocols, spdy/3 at last, check they dont answer to any standards bodies but every other company has to spend money to fix their latest "security" issue.

Any one noticed tha we have spent 20 years downloading .txt files and so far the world kept turning.

Is .exe getting hacked in transit a theoretical or practical problem?

Its mostly theoretical, because you download .exe over htps with no better guarantees of its validity every day. Most .exe over http downloads are done on trusted networks.

Os and browser and search is a dangerous vertical.

I suspect a chromium fork for with lower/stable security would get significant market share as corps insit staff install it instead of internal IT taking a hit for these anti-competative practices that should have no effect on their use of valid www protocols internally.

Re: Not as disruptive as it sounds

Wondering how this would affect the users of self hosted "clouds" (e.g. ownCloud, NextCloud)...

Although, yes, I would agree immediately that a non-HTTPS "cloud" install would be questionable to begin with...

Re: Not as disruptive as it sounds

But when I realised it only affects mixed content, that's not so bad at all.

But the intention isn't to just affect "mixed content"...

Reading the linked Google articles, I would be relatively happy if it was just about "mixed content", so that all the ad's, scripts and other stuff webpages download (to the browsers cache) just to be displayed, had to come across https sessions because in the main today these get filtered out by AdBlocker/uBlock et al. The problems arise when Google say they will also block content I want, which seems to imply that if I explicitly click on some element that permits me to download an iso, zip, doc, xls, pdf etc. (to my preferred download location) Chrome will by default prevent/block it.

Re: Annoying tho

You could use a non-Chrome based browser -- at least this year and next and probably the year after that. However, there are fewer and fewer of those that actually work with today's (often needlessly) complex websites. I fear that in a few years we will be down to Chrome and Firefox. And a few years after that to just Chrome.

A few decades ago, the fad d'jour was Continuous Improvement (Kaizen 改善,). We now seem to be well into the era of Continuous Deterioration.

Re: Doesn't make any sense

I thought this as well. Their "staged" plan doesn't make any sense: first we will block ".exe" files, then we will block ".zip" files, etc.

But, actually, by the end of the year, file name extensions become irrelevant (we're told) so non-Windows platforms shoud be equally protected.

Re: Doesn't make any sense

"(Its an obvious fact but obviously not well known because my workplace bans the sending and receiving of ZIP files so you have to rename them to send them outside the building)"

Just be glad your firewall doesn't do magic number scanning to check for trick files, then, because it'll get tripped up by the fact a lot of modern formats are actually containers based on (guess what?) ZIPs. The Magic Number trick isn't as useful as it once was because of this.

Re: IP Cam

I'm sure a nice new Nest camera will work fine

Re: It's not going to fix much

Yes, that is the big elephant in the room: https doesn't make the site or the user safe, except safe against passive content surveillance by third parties. You can download malware (or upload it) in perfect privacy.

Re: It's not going to fix much

"It's just a picture, nothing harmful"

Re: Release 100....

If you have your dick out in front of Chrome I hardly think you're going for a piss.

Re: Serious overreach

"Warning people is fine -- "

Until people IGNORE the warnings. Remember Click Fatigue?

Re: Serious overreach

For those too outraged to read the whole article it says you can click on the address bar on the little security icon and enable unsafe downloads.

Re: No

"If you aren't logging in and arn't purchasing, how is downloading a text file a big issue?"

If you are a Uighur in China, it can be a life-threatening issue.

Part of this is to stop MITM attacks.

It's easy (using available frameworks) to MITM someone on a network and modify their HTTP downloads on the fly. So as they download an EXE, your MITM machine adds malware to the file and the unsuspecting user gets the modified version

Same can be done with archives and ISO downloads.

This makes it harder for someone on your network, ISP, NSA types (or criminals who have gained access somewhere/redirected traffic via BGP attacks) to intercept along the route and add their own code.

Re: So much for my home server

If you have no https on it at all it won't be affected. Even if it was mixed content, you can enable 'insecure' downloads. It's all in the article.

Re: Why would you?

There are sites that host large software distributions, and are busy enough they'd notice the CPU hit. It would also affect local caching - you don't want your companies link to be used to repeatedly download the same huge file 1000's of times.

These files are all protected with cryptographic hashes.

The fact you justify your argument by talking about some small site on a third party hosting platform speaks volumes.

Re: Why would you?

Yeah, fuck those open source projects using servers from multiple sponsors with things like DNS round robins...

There is no excuse for potential sponsors to simply add a line to their crontab then give the project maintainers an IP address and forget about it. If a university really cared about letting people use their spare resources for free they would have a sysadmin configure per-project TLS certificates which have been provisioned through some complex system set up by project maintainers (given that letsencrypt etc only works if you have complete control over the hostname, the project in question would need to find their own solution for provisioning per-server certs and replacing certificates and have mirror servers use that, along side the per-project solution for every other project they donate bandwidth to). All potential sponsors should maintain and renew certificates and per-project server comfigurations and basically have staff dedicate hours of paid time to running the free services. The internet demands that people doing things to help the public suffer the consequences of their decision!

I won't even get started on people who think they are allowed to run their own services without dedicated hostnames under their public domain name and unfiltered global access to the dedicated global IP etc... we all know that hosting things anywhere other than with a large commercial provider is something only terrorists and paedophiles do.

I am currently trying to figure out how to get my WiFi controller to work properly from a VM hosted on a different network, so I can do that HTTPS thing with a free certificate, but for some reason my access points don't seem to be detected. This is weird and makes no sense, because when I tried a temporary test instance running on one of my computers on the local network it worked just fine... obviously that is not a solution because running things on your own network is not the 2020 way of doing things.

Re: Why would you?

The push for all websites to use https is all very well but isn’t this putting even more strain on the IP4 address shortage? One of the overhead of https is that every domain needs to be on a separate address.

.... or is there some additional magic at work at hosting companies to get around this?

Could have renamed to something common like .jpg or .pdf and asked the recipient to rename it back to .exe?

Next time

Next time, if it is within 1GB: send.firefox.com

Re: Fine by me

Sure, there are oh so many other browser engines out there...

Re: Question

If a https download page links to a http mp3, it will be blocked. Other than that, everything is fine.

So a https download page must link to a https mp3. But a http download page can link to whatever it likes. All that's required is the encryption scheme of the download is at least as secure as that of the page it's being downloaded from.

Re: Sounds OK

"not everything is life or death", exactly.

I already have to rename "peculiar" file extension to .txt just to get some browsers to download them at all (anything that isn't found in their list of extensions for special handling might as well not exist). So here is the scenario:

Some enthusiast has set up an http site documenting everything you could ever want to know about some obscure computer from the 70s. (alternatively, a homebrew computer with exactly one instance. Yes, I know of such, and if you do too, please don't name it here lest it be SlashDotted, er, Registered)

As an extra thrill, they actually have a restored instance of that rare beast serving that site.

Now, completely aside from the question of how long there will be more than one browser, and how mere mortals can use Let's Encrypt without professional help (putting themselves at the mercy of that professional help forever), who gets to patch a webserver from the 90s to run on a system that runs http just fine, but has something like 512K of RAM and has not had an OS update since everybody was doing the Macarena

Not another fan of this system finds this wondrous trove and make a page with links to all that lovely content (http links, of course), and publishes that page on their own "managed" site, using https because that's how it came. Bingo! "No old .txt for you!"

If you try to do the obvious, and just serve that page of pointers on http, you have just become invisible to <major search engine> that will put you (f it shows you at all) a few hundred pages behind pages serving JS bitcoin miners. So the _third_ fan will never even know this cool site exists.

Just a mix of opinions and thought-experiments from someone who would really like to know why slick corporate malware is OK, but amateur "created with ed" websites are clearly the devil's spawn.

Re: Take of the Tin Foil

You have a very narrow and blinkered view of the internet. Go out and learn more before making silly statements like that.