Google has suggested that browser vendors put into practice blocking the download of dangerous file types if the page referring to the download is opened over HTTPS, but the download is initiated without encryption over HTTP.
The problem is that there is no security indication during the download, the file just downloads in the background. When such a download is launched from a page opened via HTTP, the user is already warned in the address bar about the insecurity of the site. But if the site is opened via HTTPS, the address bar has a secure connection indicator, and the user may get a false impression that the download being triggered using HTTP is secure, while the content can be spoofed as a result of malicious activity.
It is proposed to block files with extensions exe, dmg, crx (Chrome extensions), zip, gzip, rar, tar, bzip and other popular archive formats that are considered particularly risky and commonly used to spread malware. Google plans to add the proposed block only to the desktop version of Chrome, as Chrome for Android has already implemented blocking downloads of suspicious APKs via Safe Browsing.
Mozilla representatives accepted the proposal with interest and expressed their willingness to move in this direction, but offered to collect more detailed statistics on the possible negative impact on existing boot systems. For example, some companies practice insecure downloads from secure sites, but the threat of compromise is removed by digitally signing files.
Source: opennet.ru