[chainsaw10]

From my reading, it looks they're considering this for only non HTTPS downloads initiated from an HTTPS page

Relevant quotes:

> ... we will likely start by treating certain high-risk downloads initiated from secure contexts as active mixed content and block them.

> We're not planning to focus on non-secure downloads initiated from non-secure contexts at the moment, because users at least see the "Not Secure" omnibox badge on those pages.

[gambler]

Clever. This means users won't be able to easily download software from websites not plugged into CA tree. One more step towards eradicating the ability of people to independently host websites altogether.

Increasingly, I see that the web no longer fulfills any of its original goals. On the other hand, if I look at it as a software delivery/execution platform I see a horrible mess that could have been designed a zillion times better if that was the goal to begin with.

[bigj0n]

Couldn't you add additional certificate authorities to your browser at will?

The CA system is decentralized by nature. If the existing authorities start trying to manipulate your internet by controlling who they verify, which hasn't really happened that I'm aware of, you can always add a new root certificate. Or consumer browsers can offer new CA roots out of box.

[gambler]

The point isn't what you can do as a user. The point is that Google adds more and more hurdles to running a website without plugging into the CA chain.

CA chain is centralized. Plus, it requires you to have a domain name. DNS is also centralized (although to a somewhat lesser extent).

Effectively, we're seeing yet another step in hyper-centralization of the web.

[ehutch79]

How many websites do you actually use don't have a domain name?

also, as above, there is no one root CA. you can add and remove any ca from your system. most users don't because why would you trust a random ca from some random site.

What's the actual problem here?

[Crinus]

That i do not want some third party's permission to make my site and desktop applications available to everyone.

Note the one you asked, but i have the same issues with the certificate mafia.

[denkmoon]

Getting modern browsers to accept your CA is a huge pain, different per browser and OS, and barely anyone will do it.

The moment anyone starts a community CA for this they'll just blacklist it.

[Avamander]

Are you implying there aren't a lot of CAs to choose between?

How would you design it a "zillion times better"?

[PretzelFisch]

That's not how I read it. The nonsecure download from a secure page is their starting point. The end goal is to block all unsecure downloads of high risk types.

[toomuchtodo]

Is it possible to disallow all non secure/https requests in Chrome?

[A2017U1]

The EFF's httpseverywhere extension works well, you need to set it to block if it can't upgrade the connection to tls

[Someone1234]

Great concept but the plugin is an absolute memory hog, and they've been unable to fix it.

They closed the old bug for no real reason:

https://github.com/EFForg/https-everywhere/issues/1775

Then let the new bug rot:

https://github.com/EFForg/https-everywhere/issues/12232

They've now started deleting new comments on the new bug. I'm just not using it anymore.

[sucrose]

The DuckDuckGo Privacy Essentials¹ extension is a great alternative that I switched to.

¹ https://chrome.google.com/webstore/detail/duckduckgo-privacy...

[Sahhaese]

The easiest way to do that is to use your OS provided firewall to block all outgoing HTTP requests from chrome and only allow HTTPS.

[gambler]

That's how I read it as well. Boiling the frogs.

[SquareWheel]

I agree with your reading. I've flagged this post as the title is misleading.