Google announced a phased rollout plan requiring Chrome to warn users about and eventually block downloads of insecure files from HTTPS pages. Announced on the Google Security Blog, the plan targets "mixed content downloads" — situations where a secure HTTPS page serves file downloads from unencrypted HTTP sources.
Why This Is a Security Risk
When you're on an HTTPS website, the connection between your browser and the server is encrypted. But if that website links to a file download hosted on plain HTTP, that download is not encrypted in transit. This means an attacker between you and the server could intercept the download and replace it with malicious software — even if the website itself is legitimate.
Phased Rollout by File Type
Google rolled out warnings progressively, starting with the highest-risk file types:
- Chrome 82: Executable files (.exe, .apk, .dmg) — warnings first, then blocked
- Chrome 83: Zip and archive files
- Chrome 84: PDF, Word, and document files
- Chrome 85+: All remaining insecure file downloads blocked
What This Means for Businesses
If your company website hosts downloadable files — software installers, PDFs, forms — and those files are served via HTTP rather than HTTPS, Chrome users would have seen warnings or been unable to download them. This was a strong signal to migrate all file hosting to HTTPS.
Landshark IT helps Tampa Bay businesses with web security assessments and configuration. If your website serves files and you're unsure of your security posture, contact us for a review.