Google Chrome now warns about risky password-protected archives
Google Chrome now warns when downloading risky password-protected files and provides improved alerts with more information about potentially malicious downloaded files.
These new, more detailed warning messages help users quickly learn the nature of the danger presented by each file downloaded from the Internet.
For this, Google introduced a two-tier download warning system that uses AI-powered malware verdicts sourced from its Safe Browsing service to help evaluate the actual risk quickly.
Users will now see warnings alerting them of suspicious files (based on lower confidence verdicts and unknown risk of user harm) or dangerous files (on high confidence verdicts and high risk of user harm).
“These two tiers of warnings are distinguished by iconography, color, and text, to make it easy for users to quickly and confidently make the best choice for themselves based on the nature of the danger and Safe Browsing’s level of certainty,” the Chrome Security team explains.
“Overall, these improvements in clarity and consistency have resulted in significant changes in user behavior, including fewer warnings bypassed, warnings heeded more quickly, and all in all, better protection from malicious downloads.”
The Chrome browser now also sends suspicious files to the company’s servers for a deeper scan for users with Enhanced Protection mode enabled in Safe Browsing, providing extra protection while “reducing user friction.”
When downloading password-protected archives (e.g., zip, .7z, or .rar), users with Enhanced Protection toggled get prompted to enter the password before sending the file for additional scanning via Google’s Safe Browsing service.
The company says that files and file passwords uploaded to its servers will be deleted promptly after scanning, and all collected data will be used only to boost download protection for all Chrome users.
Those who use Chrome in Standard Protection mode will also be asked to enter the passwords of the downloaded archives. However, both the file and the password stay on the local device, and “only the metadata of the archive contents are checked with Safe Browsing,” the Chrome Security team says.
“As such, in this mode, users are still protected as long as Safe Browsing had previously seen and categorized the malware.”
However, despite these assurances, many companies will likely not take Google’s word for granted and train employees not to provide Chrome with a password for password-protected archives containing corporate data, in order to prevent potential data leaks.
Today’s announcement comes after Google redesigned the Chrome download experience in August to display alerts in the web browser’s address bar and expanded browser warnings and notifications to accommodate extra information.