Major browsers to block some plain-HTTP downloads on HTTPS sites

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 10872
Joined: Sat Aug 03, 2013 5:45 pm

Major browsers to block some plain-HTTP downloads on HTTPS sites

Post by barbaz »

https://www.zdnet.com/article/google-ch ... downloads/

Is this really a significant security advantage?

To me, this would only be an annoyance. I've only ever seen such downloads in legitimate contexts, e.g. Basilisk browser. And in the case of Basilisk, they have checksums on their HTTPS site, so a MitM wouldn't be able to tamper with the download without being noticed.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7944
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Post by therube »

Well, that would be one way to put a dent in your competition, wouldn't it.
(Not that basilisk, or anyone out there, is competition to Google.)

Safer?

Less convenient, that is for sure.
Suppose you wanted to do something like download basilisk from within Chrome ;-).

It will force basilisk & all others out there, to essentially force https: everywhere.
(Someone should make an extension, & call it HTTPS everywhere.)

Suppose that if they've come up with this idea, they have their reasons for it.

I'm not thinking of anything offhand, why it would be "safer"?
I can download a mozilla browser over ftp. (Well, used to.)
Now is that "safer" then downloading it via https?

So long as you can verify authenticity... wouldn't care of it came from torrent or magnet or email or ... hand delivery.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.5
chrispeddler
Posts: 3
Joined: Fri May 10, 2019 9:51 am

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Post by chrispeddler »

While Google Chrome makes their web world make it a safer place, yes, inconvenience would be the problem. You can opt for open source browsers like Mozilla instead.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36
barbaz
Senior Member
Posts: 10872
Joined: Sat Aug 03, 2013 5:45 pm

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Post by barbaz »

chrispeddler, did you even read the article before posting here?
*Always* check the changelogs BEFORE updating that important software!
-
barbaz
Senior Member
Posts: 10872
Joined: Sat Aug 03, 2013 5:45 pm

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Post by barbaz »

*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7944
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Post by therube »

Potential security risk -- with a red exclamation mark icon.
Well that (message) is clear as mud.
A click or tap on the download in the panel opens additional information and options.
Oh, the 'ol double-click trap.
The blocking happens only because of the insecure connection, not because the file has a virus or other unwanted content.
In which case there is no reason to have this hogwash!
Firefox 92 comes with a preference switch...
Which you can be sure will disappear in a later version.


Not to mention, that insecure (page) insecure (download) will be accepted just fine.
So if you want to download Win32pad, insecure page, http://www.gena01.com/win32pad/download.shtml, insecure download, http://www.gena01.com/win32pad/win32pad_1_5_10_3.zip, that's all fine & dandy.


Now how does that make any sense? How is the fact that it's "mixed content" that they'll be block, matter!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.10
User avatar
therube
Ambassador
Posts: 7944
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Major browsers to block some plain-HTTP downloads on HTTPS sites

Post by therube »

Which you can be sure will disappear in a later version.
As an example, This leaves no configuration option to....
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.10
Post Reply