W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2019

Re: Blocking high-risk non-secure downloads

From: Yan Zhu <yan@brave.com>
Date: Thu, 11 Apr 2019 19:26:06 -0700
Message-ID: <CAO04vJ8Pdt=FJT1KKHqKiqOCfXJXZmGDhkKKAHsnS7KTs2R6uA@mail.gmail.com>
To: Emily Stark <estark@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Joe DeBlasio <jdeblasio@chromium.org>, cthomp@chromium.org
On Tue, Apr 9, 2019 at 11:30 AM Emily Stark <estark@google.com> wrote:
>
> Hi webappsec friends,
>
> Over in Chrome land, we've been considering how to drive down non-secure downloads, particularly high-risk ones like executables. I wanted to see if other browsers would be interested in joining us on this adventure.

Hi Emily! Brave Desktop tries to address this issue by showing the
origin of the download in the downloads bar at the bottom of the
browser and a little red insecure icon next to HTTP. Our designers are
not a fan of this approach since it adds ~10px to the download bar
height and looks a bit cluttered :). Screenshot attached.

>
> We want to achieve the right balance between compatibility/user-disruption and security improvements, so we will likely start by treating certain high-risk downloads initiated from secure contexts as active mixed content and block them. We're still finalizing our metrics before we can share them publicly, but right now it's looking like it will be feasible to block a set of high-risk filetypes (executables and archives as determined by the Content-Type header or sniffed mime-type). We will likely focus on protecting desktop users because Android and Safe Browsing already provide protection against malicious APKs.
>

I think this is a good idea in terms of user safety but more
questionable in terms of the incentives for developers to migrate to
HTTPS, as Dev stated. If Chromium has a heuristic for high-risk
filetypes, Brave would strongly consider blocking files matching that
heuristic over HTTP regardless of the context.

> We're not planning to focus on non-secure downloads initiated from non-secure contexts at the moment, because users at least see the "Not Secure" omnibox badge on those pages.
>
> Feedback welcome!
> Thanks,
> Emily


Screen_Shot_2019-04-11_at_7.17.49_PM.png
(image/png attachment: Screen_Shot_2019-04-11_at_7.17.49_PM.png)

Received on Friday, 12 April 2019 02:26:56 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 April 2019 02:26:57 UTC