Skip to main content
banner image
venafi logo

Why Do Browsers Block HTTP Downloads?

Why Do Browsers Block HTTP Downloads?

why-browsers-block-http-downloads
November 30, 2020 | Guest Blogger: Anastasios Arampatzis

Browsers are taking consecutive steps trying to protect end-users from falling prey to malicious actors. Following their decisions to promote the use of HTTPS by all websites, now they have extended those security efforts by blocking HTTP downloads.

Back in February 2020, Google announced a plan to gradually block all HTTP downloads on the Chrome browser, while Mozilla has also implemented similar policies in Firefox.

What is the danger behind HTTP downloads?

As we have written before in this blog, all major browser vendors are displaying either a textual or a visual warning when users are visiting a non-HTTPS website.

Figure 1: "Not Secure" warning displayed on a Chrome browser

This way, users are informed about the insecure connection so that they are cautious not to transmit any critical information to that website. This has played a pivotal role to drive user awareness and HTTPS adoption.

However, Google and Mozilla decided that this is not enough. Many websites, although protected by a TLS/SSL certificate, serve content downloads through HTTP connections. This is also known as mixed content.

When a user visits a webpage fully transmitted over HTTPS, such as a bank website, the connection is authenticated and encrypted, and thus safeguarded from both eavesdroppers and man-in-the-middle attacks. However, if the HTTPS page includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. In this case, the page is only partially encrypted and even though it appears to be secure, it is not. The connection is in fact open to eavesdropping and man-in-the-middle attacks.

As Google said in a blog post “Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements.” This is a hole in HTTPS security. Hence, Google and Mozilla have decided to close this gap by blocking HTTP downloads from HTTPS websites.

What downloads are blocked and when

According to Google’s original announcement in February, the browser would begin blocking “the file types that pose the most risk to users,” starting from Chrome 81, released in March 2020. These file types include executable files such as .exe and .apk.

However, the Chrome Platform Status has an update informing users that “User-visible warnings will start in Chrome 84 (instead of Chrome 82), with warnings ramping up through Chrome 87. Final desktop blocking will be complete by Chrome 88. Android will lag one release behind, with the first user-visual warnings seen in Chrome 85.” Chrome 84 is released in August 2020.

Google’s approach to blocking mixed content is a gradual rollout that is “designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.” The table below, adapted from Google’s original plan, displays the rollout as it currently stands.

Table 1: Google's updated HTTP Block plan

Please note that if a website uses HTTP, users can still download HTTP files. This plan targets HTTPS sites that use HTTP download URLs because the browser is showing the site to be secure while the download is insecure.

When a user tries to download HTTP content that is blocked, they should get a warning like the one displayed below.

 

Figure 2: Potential warning on Chrome of blocked HTTP download

On the other hand, Mozilla is already implementing a mixed content block. According to the vendor, users will see a gray padlock when they visit a website where mixed content is blocked, and this site is fully served via HTTPS. If the site contains mixed content that is not blocked or it is served only through HTTP, visitors will see a gray padlock with a red line over it. Finally, a gray padlock with an orange or yellow triangle indicates that Firefox is not blocking insecure passive content, such as images. Mozilla provides instructions on how to disable the default blocking of active mixed content.

Figure 3: Mozilla padlocks for mixed content

By default, Firefox does not block mixed passive content; users will simply see a warning that the page is not fully secure. Attackers may be able to manipulate parts of the page like displaying misleading or inappropriate content, but they should not be able to steal personal data from the site.

Conclusion

Although browser vendors have been putting efforts into raising awareness and driving wider adoption of HTTPS, blocking mixed content downloads is certainly a milestone towards enhancing security and privacy on the internet.

 

Related posts

 

Like this blog? We think you will love this.
mutual-tls-authentication-for-cloud-based-applications
Featured Blog

Why You Need Mutual TLS Authentication for Cloud Instances

What is Mutual TLS Authentication?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Guest Blogger: Anastasios Arampatzis
Guest Blogger: Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat