Blocking high-risk non-secure downloads from Emily Stark on 2019-04-09 (public-webappsec@w3.org from April 2019)

From: Emily Stark <estark@google.com>
Date: Tue, 9 Apr 2019 11:28:33 -0700
To: WebAppSec WG <public-webappsec@w3.org>
Cc: Mike West <mkwst@google.com>, Joe DeBlasio <jdeblasio@chromium.org>, cthomp@chromium.org
Message-ID: <CAPP_2SaTBCsrKu5kJR5cpByV2Dyw=gXx0ia5NHG3NL2NAsLnHg@mail.gmail.com>

Hi webappsec friends,

Over in Chrome land, we've been considering how to drive down non-secure
downloads, particularly high-risk ones like executables. I wanted to see if
other browsers would be interested in joining us on this adventure.

We want to achieve the right balance between compatibility/user-disruption
and security improvements, so we will likely start by treating certain
high-risk downloads initiated from secure contexts as active mixed content
and block them. We're still finalizing our metrics before we can share them
publicly, but right now it's looking like it will be feasible to block a
set of high-risk filetypes (executables and archives as determined by the
Content-Type header or sniffed mime-type). We will likely focus on
protecting desktop users because Android and Safe Browsing already provide
protection
<https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf>
against malicious APKs.

We're not planning to focus on non-secure downloads initiated from
non-secure contexts at the moment, because users at least see the "Not
Secure" omnibox badge on those pages.

Feedback welcome!
Thanks,
Emily

Received on Tuesday, 9 April 2019 18:29:07 UTC