Major browsers to block some plain-HTTP downloads on HTTPS sites

[barbaz]

https://www.zdnet.com/article/google-ch ... downloads/

Is this really a significant security advantage?

To me, this would only be an annoyance. I've only ever seen such downloads in legitimate contexts, e.g. Basilisk browser. And in the case of Basilisk, they have checksums on their HTTPS site, so a MitM wouldn't be able to tamper with the download without being noticed.

[therube]

Well, that would be one way to put a dent in your competition, wouldn't it.
(Not that basilisk, or anyone out there, is competition to Google.)

Safer?

Less convenient, that is for sure.
Suppose you wanted to do something like download basilisk from within Chrome .

It will force basilisk & all others out there, to essentially force https: everywhere.
(Someone should make an extension, & call it HTTPS everywhere.)

Suppose that if they've come up with this idea, they have their reasons for it.

I'm not thinking of anything offhand, why it would be "safer"?
I can download a mozilla browser over ftp. (Well, used to.)
Now is that "safer" then downloading it via https?

So long as you can verify authenticity... wouldn't care of it came from torrent or magnet or email or ... hand delivery.

[chrispeddler]

While Google Chrome makes their web world make it a safer place, yes, inconvenience would be the problem. You can opt for open source browsers like Mozilla instead.

[barbaz]

chrispeddler, did you even read the article before posting here?

[barbaz]

https://www.ghacks.net/2021/08/13/firef ... y-default/

[therube]

Potential security risk -- with a red exclamation mark icon.

Well that (message) is clear as mud.

A click or tap on the download in the panel opens additional information and options.

Oh, the 'ol double-click trap.

The blocking happens only because of the insecure connection, not because the file has a virus or other unwanted content.

In which case there is no reason to have this hogwash!

Firefox 92 comes with a preference switch...

Which you can be sure will disappear in a later version.


Not to mention, that insecure (page) insecure (download) will be accepted just fine.
So if you want to download Win32pad, insecure page, http://www.gena01.com/win32pad/download.shtml, insecure download, http://www.gena01.com/win32pad/win32pad_1_5_10_3.zip, that's all fine & dandy.


Now how does that make any sense? How is the fact that it's "mixed content" that they'll be block, matter!

[therube]

Which you can be sure will disappear in a later version.

As an example, This leaves no configuration option to....