Page 1 of 1

Major browsers to block some plain-HTTP downloads on HTTPS sites

Posted: Thu Apr 11, 2019 6:05 pm
by barbaz
https://www.zdnet.com/article/google-ch ... downloads/

Is this really a significant security advantage?

To me, this would only be an annoyance. I've only ever seen such downloads in legitimate contexts, e.g. Basilisk browser. And in the case of Basilisk, they have checksums on their HTTPS site, so a MitM wouldn't be able to tamper with the download without being noticed.

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Posted: Fri Apr 12, 2019 4:01 pm
by therube
Well, that would be one way to put a dent in your competition, wouldn't it.
(Not that basilisk, or anyone out there, is competition to Google.)

Safer?

Less convenient, that is for sure.
Suppose you wanted to do something like download basilisk from within Chrome ;-).

It will force basilisk & all others out there, to essentially force https: everywhere.
(Someone should make an extension, & call it HTTPS everywhere.)

Suppose that if they've come up with this idea, they have their reasons for it.

I'm not thinking of anything offhand, why it would be "safer"?
I can download a mozilla browser over ftp. (Well, used to.)
Now is that "safer" then downloading it via https?

So long as you can verify authenticity... wouldn't care of it came from torrent or magnet or email or ... hand delivery.

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Posted: Tue May 21, 2019 3:17 am
by chrispeddler
While Google Chrome makes their web world make it a safer place, yes, inconvenience would be the problem. You can opt for open source browsers like Mozilla instead.

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Posted: Tue May 21, 2019 3:09 pm
by barbaz
chrispeddler, did you even read the article before posting here?

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Posted: Fri Aug 13, 2021 4:26 pm
by barbaz

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Posted: Fri Aug 13, 2021 4:48 pm
by therube
Potential security risk -- with a red exclamation mark icon.
Well that (message) is clear as mud.
A click or tap on the download in the panel opens additional information and options.
Oh, the 'ol double-click trap.
The blocking happens only because of the insecure connection, not because the file has a virus or other unwanted content.
In which case there is no reason to have this hogwash!
Firefox 92 comes with a preference switch...
Which you can be sure will disappear in a later version.


Not to mention, that insecure (page) insecure (download) will be accepted just fine.
So if you want to download Win32pad, insecure page, http://www.gena01.com/win32pad/download.shtml, insecure download, http://www.gena01.com/win32pad/win32pad_1_5_10_3.zip, that's all fine & dandy.


Now how does that make any sense? How is the fact that it's "mixed content" that they'll be block, matter!

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Posted: Fri Aug 13, 2021 5:15 pm
by therube
Which you can be sure will disappear in a later version.
As an example, This leaves no configuration option to....