Re: Blocking high-risk non-secure downloads


I realize the question was directed towards other browser vendors but I
figured its on webappsec so I will chime in :)

It is a bit weird that the platform will continue allowing http downloads
from an http page; but not http download from an https page. If the https
page includes a hash/fingerprint of the download and asks users to check
it, you can imagine a world where this is a secure flow. Especially, if we
can add support for downloads in SRI
<>. In
contrast, there is no way for the http download from http pages to be safe.

Now, that might be fine---something is better than nothing. My worry though
is that this could add more roadblocks for people trying to migrate to
https. Further, if the download is really on a different server that
doesn't even support HTTP (for whatever reason), then I also think a
security engineer's time is better spent getting some sort of integrity
check/verification than trying to get that page to support HTTPS.

Has Chrome considered blocking HTTP downloads on HTTP pages first?


On Tue, Apr 9, 2019, 2:00 PM Daniel Veditz <> wrote:

> On Tue, Apr 9, 2019 at 11:30 AM Emily Stark <> wrote:
>> Over in Chrome land, we've been considering how to drive down non-secure
>> downloads, particularly high-risk ones like executables. I wanted to see if
>> other browsers would be interested in joining us on this adventure.
> I would be very happy to push in this direction, limited by the amount of
> breakage and user-pushback we can expect. Any statistics you can share
> would be a huge help. Insecure downloads from the secure sites of companies
> who ought to know better are distressingly common ("but the executables are
> signed!").
> -Dan Veditz

Received on Thursday, 11 April 2019 21:56:16 UTC