Slowly but surely, the online has mostly moved to use secure HTTP or HTTPS because of the default for browsing sites. However, there are still a couple of exceptions, especially when talking about content downloaded via those supposedly secure sites. It’s not enough to mark sites as “secure” but also the resources that come from them. Next month, Mozilla will follow in Chrome’s footsteps and make Firefox block downloads on HTTPS pages that come from unsecured HTTP content.
The aggressive push to bring HTTPS to the forefront may have one unfortunate side-effect. Most people might mistake security for safety, presuming that everything on an HTTPS website is safe. Technically speaking, HTTPS only guarantees that the connection to the page is secured through encryption, but the content on or from the page can still be prey for hackers.
The danger is even greater when it involves downloaded content that doesn’t come from an equivalent HTTPS page. Dubbed as “mixed content downloads,” this brings the danger of HTTPS sites creating an unsecured connection to an HTTP resource, negating the advantages of that secured website. Web browsers today normally warn users about visiting non-HTTPS sites but not about downloading from unsecured connections.
Google started making changes to Chrome earlier last year, and Mozilla are going to be following suit. Starting with Firefox 92, due on September 7th, the online browser will block and warn users once they try to download something via HTTP once they are on an HTTPS page. But, of course, it isn’t a tough block, and users can still prefer to undergo the download at their own risk.
As XDA points out, this new behavior only affects HTTP downloads on HTTPS pages. HTTP download on regular HTTP pages won’t trigger the warning. Additionally, pasting an HTTP download link directly in Firefox also will let it undergo as normal.