Chrome 83 will Block Insecure Downloads on HTTPS Pages

[silversurfer]

Google plans to block all insecure downloads in coming versions of the company's Google Chrome browser. Insecure downloads, according to Google, are downloads that originate from HTTPS websites that are not served via HTTPS. The decision won't affect sites that are still accessed via HTTP.

The change is the next step in Google's plan to block "all insecure subresources on secure pages" which it announced last year. Back then, Google declared that mixed content, another term for insecure content on secure websites, "threatens the privacy and security of users" as attackers could modify the insecure content, e.g. by tampering with a mixed image of a stock chart to mislead investors" or injecting "a tracking cookie into a mixed resource load".

Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.

Read more below:

Google Chrome will block all "insecure downloads" in the near future - gHacks Tech News

Google plans to block all insecure downloads in coming versions of the company's Google Chrome browser (starting with Chrome 83).

www.ghacks.net

 

[Antus67]

In an attempt to improve the security of its users, the Chrome browser will soon start blocking insecure downloads on HTTPS pages, Google announced.


The plan, which the Internet giant laid out this week, is expected to be completed sometime in the fall, when Chrome 86 arrives.
The announcement comes just days after the release of Chrome 80, which by default blocks mixed audio and video resources if they cannot be automatically upgraded to HTTPS. The same will happen with image files in Chrome 81, which is expected to be released to the stable channel in March 2020.
In the long term, Google’s plan is to block all insecure sub resources on secure pages, as they represent a risk for users. Files that are downloaded insecurely could be replaced by attackers with malware, or exposed to eavesdroppers.


“To address these risks, we plan to eventually remove support for insecure downloads in Chrome,” the Internet giant says.
In the initial phase, the focus is on insecure downloads started on secure pages, and the first step is to display warnings. The restrictions for mixed content downloads, Google says, will be pushed to all desktop platforms first.

Executable files will be impacted first, with Chrome 82 displaying a warning on them and Chrome 83 blocking them.

 

[koloveli]

addon https everywhere protect

 

[Sampei Nihira]

There is something wrong with the information in the article.
This is much more detailed:
And in fact it seems to me that mixed audio video content is not blocked in Chrome 80.
As verified by the test below:

TLS Client Test - TLS Fingerprinting

Check your browser's supported SSL/TLS protocols. Inspect TLS ClientHello, supported cipher suites, TLS extensions, test ECH support. Identify weak or insecure options, generate a JA3/JA4 TLS fingerprint, and test how the browser handles insecure mixed content.

browserleaks.com

Microsoft Edge/Chromium also behaves the same way.
My New Moon performs much better on this test.

 

[TairikuOkami]

addon https everywhere protect

That will only switch the webpage to https, when available, not downloads? Not to mention, it uses whitelist.
On the other hand Smart HTTPS extension will try to switch any webpage to https, but it can cause some issues.