
Protecting users from insecure downloads in Google Chrome - trulyrandom
https://security.googleblog.com/2020/02/protecting-users-from-insecure_6.html
======
Ajedi32
This is long overdue. It was kinda crazy how you couldn't even visit a plain
HTML page over plain HTTP without Chrome showing a "Not Secure" badge in the
URL bar, yet downloading an executable file over an insecure connection
produced absolutely no warning at all. You couldn't even manually check
whether the file was downloaded over a secure connection without explicitly
going to the downloads page. (I think Firefox is even worse in this respect
right now, in that the only way to check where a file was downloaded from is
to open the downloads library, right click an item, click "Copy Download
Link", then paste it into a place where you can read the text.)

One thing I do find particularly interesting about this post though is the
part where they imply they might start blocking _all_ insecure file downloads
at some unspecified point in the future. That would be a pretty major move.

------
proactivesvcs
Both Microsoft and Apple ignored my emails regarding them serving HTTP
downloads from HTTPS pages. I guess they'll pay attention when this sort of
security feature gains enough traction.

~~~
tatersolid
Those downloads from MSFT and AAPL are signed binaries, which the OS verifies,
so download over HTTP is much safer.

Still, I agree unencrypted or unauthenticated transport has no place on the
Internet in 2020.

------
lousken
hopefully disabling javascript on http sites will follow

