Part of:

Are Insecure Downloads Infiltrating Your Chrome Browser?


As quickly as security measures are introduced for the Chrome browser, hackers find a way around.

For all that people complain about the internet’s insecurity, it’s quite a bit safer than it once was. Large-scale adoption of the HTTPS standard means that internet traffic is largely encrypted, providing a high standard of protection against eavesdropping and man-in-the-middle attacks.

In 2018, over 50 percent of websites used HTTPS protection for the first time ever. This number continues to grow, with 96 out of the 100 top non-Google sites (an amount representing a quarter of all web traffic) defaulting to HTTPS.

Unfortunately, HTTPS is far from ironclad protection. It encrypts your connection, but doesn’t inspect the encrypted traffic. This means that your (supposedly) secure connection is totally capable of delivering malware and that phishing sites can easily fool people by displaying the secure lock icon to the left of their URL. (Read also: How to Keep from Getting Phished in 2020.)

Over half of phishing sites now use HTTPS, and a new study shows that almost 70 percent of malware was delivered via an HTTPS connection.

Much of this malware delivery occurs via an HTTPS loophole known as a “mixed content download.” In this type of attack, you visit a website that’s secured with the familiar HTTPS lock symbol.

If you download something from the site, however, it can come from an insecure address or even a secure address that happens to host malware. As a result, the content you download from the site has the potential to be infected with malware.


From an Accidental Vulnerability to a Malicious Exploit

Mixed content downloads have evolved. It used to be that you’d see a mixed content download if a developer made a mistake. Web applications are increasingly complicated, so this kind of mismatch, while regrettable, isn’t that hard to imagine.

If the mixed content download occurs via developer error, then the download itself may not present that much of a risk (relative to everything else on the internet, at least). The major vulnerability is if a developer accidentally creates a resource for download that was already contaminated by malware (such as an infected PDF), or if an attacker obtains developer credentials and does the same thing.

Developer error isn’t the primary place that you’ll see mixed-resource downloads anymore, however. (Read also: Cybersecurity and Infrastructure: Current Trends and Future Developments.)

Increasingly, attackers are building phishing sites that make use of the HTTPS standard and then implementing mixed-resource downloads on their own. Because ordinary users may not know exactly what HTTPS does, they never suspect that a website that uses the lock symbol might still be trying to phish their credentials or infect their computer.

Is Google Doing Enough to Prevent Mixed Content Downloads?

Google is clearly aware of the mixed content download problem, but it’s arguably moving too slowly. In the Chrome 82 build, Google added popup warnings to users if they initiated an insecure download on a secure site. They are gradually eliminating mixed content downloads in future builds.

An August 2020 build of Chrome blocked all downloads except images, audio, video, and text. By October 2020, mixed content downloads were blocked entirely.

An extended timeline like that gives legitimate developers plenty of time to pull insecure download links and place them with secure ones—but it also gives bad actors plenty of time to act. It’s also good to warn users when they’re about to download a potentially insecure resource, but up to 33 percent of users simply click through these warnings when they appear.

Lastly, these safety measures will close up one avenue for insecure downloads, while still leaving many others open. Attackers can still load malicious resources into secure download links because Chrome has no way to tell whether these resources are legitimate.

While developers are busy turning their mixed content links into HTTPS links, attackers are busy doing the same thing.

Mixed Content is the Tip of the Iceberg for Chrome Vulnerabilities

Attackers have many ways to turn malicious content into legitimate-seeming resources using Chrome. For example, Chrome extensions, which are software applets designed to extend the functionality of the browser, can often be used for harm.

All extensions are promoted through the Chrome Web Store, which is supposed to automatically check extensions for malicious content. These extensions have conferred an air of legitimacy, in other words. Attackers use this legitimacy to cause problems. On the day of this writing (June 18, 2020) Google removed over 100 malicious extensions that had been designed to fool security checks, take screenshots of the browser, monitor users’ keystrokes, and more. Collectively, these extensions were downloaded by nearly 33 million people.

This isn’t an isolated incident. In 2019, 1.5 million people downloaded a pair of apps disguised as popular ad-blocking extensions. Instead of blocking ads, however, the applications loaded malicious tracking cookies onto users’ systems.

The year before that, a different Chrome extension was discovered to be part of a botnet that infected websites with cryptojacking code. (Read also: How Cryptomining Malware is Dominating Cybersecurity.)

The point is that even though Chrome is touted as being a secure mainstream browser (and that’s not a false claim—it’s definitely secure), security is relative. In some ways, Chrome’s reputation for security works against it. Because users think that Chrome is secure, they often think that it’s more secure than any browser could possibly be.

Browsers Need Additional Security Infrastructure

Essentially, attackers are too clever for any browser to be truly secure, and no amount of security awareness training will teach every user to avoid phishing sites – especially when those phishing sites are secured by HTTPS, which makes them look extremely legitimate.

If you can’t trust your browser, you need to look at Zero Trust solutions. These are security tools designed so that no user or application is taken for granted—it’s all potentially compromised.

In this case, Remote Browser Isolation (RBI) is a great tool to use for increased browser security. (Read also: The Top 6 Qualities to Look for in a Browser Isolation Solution.)

In this setup, the browser is kept in a secure container inside the DMZ or in the cloud, and it streams fully interactive content to the user’s endpoint. Because the browser is isolated, malicious downloads and extensions never end up on the user’s computer—there’s nothing for them to infect.

Although browsers may not be fully secure in and of themselves, it’s possible to make them secure by tweaking the infrastructure around them. Much like HTTPS secures your internet traffic, RBI can help secure your endpoint.


Related Reading

Related Terms

Nigel Willis
Group CTO

Nigel Willis is Ericom’s Group CTO for the EMEA region. He is CCSK-certified by the Cloud Security Alliance.