Chrome, Insecure Downloads, and Your Cybersecurity
Google recently announced that it is tightening Chrome browser protection from insecure downloads.
In this post we explain just what Google is doing, and how it will impact cybersecurity and your web surfing experience.
Mixed Content Downloads
What Google is concerned about are “mixed content downloads.” A mixed content download is when you go a secure website – starting with https:// and usually indicated in your browser with a lock symbol– but when you initiate a resource download, it comes from a non-secure address (indicated by “http://” - no “s”). That resource – which could be a file, image, or executable – could be infected with malware. Mixed content downloads represent a real risk – a sort of backdoor that can introduce content that’s been tampered with, when you think you’re safely browsing on a secure site.
Starting with Chrome 81, which was released in March 2020, all types of mixed content downloads trigger a console message warning about the download. Unfortunately, this won’t protect users, since console messages are mostly targeted at developers and average users don’t see them.
With the Chrome 82 release in April 2020, Chrome loops in users, with a warning when they try to download an executable file from a non-secure site. With Chrome 83, these executables will be blocked, and warnings issued for archive files. While Google has stated that its schedule may change due to impacts of COVID-19, it had shared that over a six-month period it will phase in warnings and then blocking for different types of files from insecure sites, including PDFs, images, and so on. With Chrome 86, due for release sometime in the Autumn, all mixed content downloads, all insecure content, will be blocked, per the detailed timeline in the Google announcement.
Security Implications and Continued Risks
This is definitely a useful step that provides a “front-line defense” against potentially malicious content that is using this specific attack vector (mixed content downloads). But on its own, it’s not an adequate solution to dangerous web downloads – users still need another layer of protection.
Here’s why: When a resource is being downloaded from a secure (https://) page, Chrome does not inspect the actual resource itself that is being downloaded. All it’s doing is ascertaining that it comes from a secure (https://) page. If someone loaded malware into an executable on a secure page, this latest Chrome feature will neither detect it nor block it.
There are many ways infected files can find their way onto a secure site. For example, someone with legitimate site updating access might accidentally upload an infected document or PDF file to a company website, not knowing the document is infected. In a less innocent scenario, cyberthieves know that insecure sites are increasingly being blocked or subject to onerous warnings, and therefore use https:// addresses for fake diversion sites, where they might use infected downloads to deliver malware.
And of course, getting infected by a website visit does not require that you download content. Just by visiting a website, malware embedded in the active content of the web page itself – the scripts, style sheets, fonts, advertisements and so on – can make its way into your browser and infect the endpoint during the page rendering process.
Remote Browser Isolation
While this Chrome security enhancement is a positive step, provides only limited and partial protection on downloads, and does nothing to stop so-called “drive by” malware embedded in the active content of web pages themselves. The only way to safely visit a website and download content is by using a “zero trust” remote browser environment: one where the browser is isolated from company servers and user devices to protect against malware in active content, and where any files or executables that are downloaded are individually checked and thoroughly cleansed before reaching the user device.
See “Browser isolation explained: Understanding how RBI keeps your organization secure” for more information on why Remote Browser Isolation is the only way to keep browsing safe.