-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a flag to disable download warnings when Safe Browsing is OFF #28917
Comments
Interestingly if I ENABLE Safe Browsing the issue disappears. |
Has this changed in latest update then? this didn't happen on previous builds. |
@fmarier Update on repro: I've verified with Chrome Stable (110.0.5481.178 (Official Build) (32-bit)) and Canary (113.0.5635.0 (Official Build) canary (64-bit)). On a clean VM. If you set Safe browsing to No Protection the default is to prompt for Keep/Discard. That's the reason I noticed the change in behavior as I have both settings non default. |
Thanks for the extra details @RonnyTNL . The reason why this started to happen is that we've recently made it so that the same checks are applied to downloads regardless of the "Ask where to save each file" setting: #28079 So while in Chrome, you can suppress this behavior by:
in Brave, that's no longer possible because we want to err on the side of protecting from more threats. It's an unfortunate side-effect that disabling Safe Browsing means every |
Not sure |
@RonnyTNL If you don't mind me asking, would you be willing to share why you disabled Safe Browsing? There are a lot of misconceptions about it and we've tried to improve some of the privacy properties in Brave, but I'd be curious to hear what made you disable it if you're willing to share. |
Hi @fmarier First thing, there is a configuration option to disable something, then I expect that it does what it claims. Setting it to "No protection" means "From now on I'm responsible" in my idea, so it kind of defeats the purpose to keep prompting from my point of view. And I get that from a use case of an average user downloads an occasional binary. I research security related stuff, might want to run in to an exploit, as we design anti-exploit protection, access stuff that Safe browsing prohibits, and download dozens of binaries a day, so in that case having to click on "Keep" get's rather annoying within a matter of minutes and frustrates my work, so I would really welcome some form of solution here (doesn't need to be UI, flag is fine) as long as I can disable this nag. So it has nothing to do with not trusting the Safe browsing, I have a completely different use-case. On a side-note, it seems there is still some part of the code that doesn't touch this "protection" |
I see. Thanks for the details on your use-case. I agree that it's pretty annoying for those who have legitimate reasons for disabling this protection. Now that I think more about it, I suspect that the warning might go away once #17616 is fixed. That's the component that determines whether or not a file is (very loosely) "executable" and many of the checks and warnings are tied to that.
You can email that to security@brave.com if you'd like. |
Update, on latest release this now has a nasty effect, the download bar on the bottom is gone, which leaves you without any visible clue as to that the download was not finished. (There is no keep/discard notification drawing attention) as the download now seems to use the download bubble, which leaves you with a fully downloaded file only in the tmp format (Unconfirmed 123456.crdownload). |
Thanks for the update @RonnyTNL . I also noticed others reporting this:
I think it's showing up enough in the wild that we need to address it. |
Some screenshots to illustrate the problem. This is Brave with Safe Browsing turned off treating all While this behavior can be worked-around in Chrome via the Ask where to save each file setting, if you disable Safe Browsing in Chrome, all As @RonnyTNL said, now that the download notification bar is gone in Brave, this is even less obvious and it just looks like the download is not working. In both Chrome and Brave, the downloads can be manually allowed by going into |
I also research CyberSecurity and am in the same position, I can sometimes download 100+ binaries per day, so in my case to have every download blocked until i click "keep" is ridiculous. "First thing, there is a configuration option to disable something, then I expect that it does what it claims." - This is also my view. Will we ever be able to completely disable again as we previously could ? Seriously considering changing browser cant put up with it much longer. |
Chiming in -- I'm setting up a new computer and, my word, on every single download I'm being told it's "dangerous" and have to open the download icon and click Keep. Notepad++ is dangerous now? VLC? Really? Because those are the prompts I'm getting. I'm old. I started programming in Apple ][ days and have been using Windows since before antivirus was a thing. I value Brave because it protects my privacy; I disabled Safe Browsing because I don't want or need anyone (even Brave) nannying me and yes, I am perfectly comfortable assuming any "risks" attendant on that decision. I'm not so stupid as to download files from illegitimate sources and if I do, that's my problem. Seriously, please make this stop. Like Upgrad3 last week, I'm considering finding alternatives to Brave for a daily driver because every. blessed. time. I have to tell it to Keep a file I just told it to download. Please stop trying to anticipate my security needs and let me decide. Thank you. |
@levicki I found the problem: #35561. It seems like there are only 6 file types that have the "DANGEROUS" danger level and @guest271314 The warnings are platform-specific and are defined in https://source.chromium.org/chromium/chromium/src/+/main:components/safe_browsing/content/resources/download_file_types.asciipb, a file that's downloaded as part of the "File Type Policies" component you can see in |
@fmarier Well, something ain't working as written out here https://source.chromium.org/chromium/chromium/src/+/main:components/safe_browsing/content/resources/download_file_types.asciipb;l=3439-3448. The user gesture is the click on the link (HTML element)
Chromium doesn't have anything in
That got me to thinking about policies, i.e.,
|
In Chromium, a danger level of
This fallback code probably applies then. Keep in mind though, I'm not a Chromium expert. I've only ever tested this in Brave. |
Setting the policy works on Chromium Version 123.0.6262.0 (Developer Build) (64-bit) - with Google Safe Browsing off. I experimented setting Chromium and Chrome policies previously some time ago chrome Pop-up blocker when to re-check after allowing page. Then I was using Chromium downloaded via PPA using This links to https://github.com/google/ChromeBrowserEnterprise/blob/main/docs/policy_examples/managed_policies.json which I downloaded and modified to
Verify the policy is loaded in chrome://policy Test downloading the 29f6a8b8-a3f0-4c8d-8dd6-973e59640a5b.webm |
@fmarier Thanks for looking into it, glad you could reproduce it. I think that having Moreover, Is there a chance you could provide at least a rough ETA for the fix to hit the release channel? |
I have a PR in review which should land in time for 1.64 (currently scheduled to hit stable on March 19th). |
Good to know. Out of curiosity, why not change As an experienced PC user, software developer, and system administrator I can't understand the rationale behind that rating. It's totally paranoid, and if we go that route why not mark While we are at it, maybe we should also mark In my opinion, blocking user-initiated downloads amounts to nothing more than a security theater. It's one thing to add a layer of security, and another to turn it into a major nuisance because when people are faced with an impediment 9 times out of 10 they will go out of their way to fully remove it and you will end up with the overall worse security posture than if you dialed the nuisance factor down a couple of notches. Prime example of this are password policies. Let's say you demand:
And then you set their work PCs to lock after 5 minutes of being idle. What do you think will 90% of people do if they have to type those passwords dozens of times in their 8 hour shift? They will simply use passwords like Sorry for the slight off-topic rant, but these things are like the pet peeve of mine. |
There really is no such thing as "security" for any signal communications. As of last century certain entities were analyzing 20 TB per second via ThinThread. PRISM, Apple "disclosing" the had an agreement with the U.S. Government to not disclose to users agreements between that concern and the U.S. Government re user data, et al. |
That list is maintained by the Google Safe Browsing team and we use it without modifications in Brave (proxied of course). It's not currently something we have had the need to fork in Brave yet. |
Thanks for providing one more annoyance that we can't get rid of. I don't need you or google to hold my hand. My av can handle anything that's downloaded. This browser is becoming more and more frustrating for people who don't need YOU to decide what WE want to do on our own personal computers. |
Here's why THIS FEATURE FUC*ING SUCKS Yesterday I was at a customer's office dealing with an emergency Network Down situation. The firewall's flash memory had become corrupt and I had to access it using a console cable in a very difficult to reach location. It was a tense moment but I got it repaired. Our policy is to save copies of the running config for these types of situations. So I clicked the "download config" button, saw the download complete (or so I thought), climbed down from the ladder, packed up my bag and left. This morning, went to upload the config to our server for safekeeping and saw the file never made it to my disk. It was blocked & canceled because it was "insecure". THANKS GOOGLE. |
FWIW This might be the place to lodge your feedback on the record for download warnings Q4 2023 Summary from Chrome Security. |
@digitaldreamer7 @luckman212 Guys you are barking up the wrong tree here. Being abusive towards Brave devs doesn't really help — you are antagonizing the only people who can actually help us by making a browser which doesn't fully follow Google's (and Chromium's) bullshit policies like this one. In case you didn't read the full thread and just came to vent your anger here is a short summary:
So, if you are using Brave, you just need to be a bit patient. Thanking Brave devs for honoring a feature request and putting in the extra work to override the default Chromium behavior in order to allow us to disable download blocking wouldn't hurt either. |
Sorry - my frustration wasn't towards Brave or the devs who are working towards finding a good solution to this. Yes I was venting a bit—towards Google—because it was being discussed. I meant no disrespect. |
I as the owner of my own computer and as an IT professional of 15+ years, am not allowed to download a freaking PDF FILE without being harassed every time! Because for some INSANE reason even on an HTTPS website, it's deemed "insecure". Besides shouldn't the word in this case be UNSECURE? I don't quite think my .pdf file suffers from crippling depression or some other kind of imposter syndrome... But yes, apparently being allowed to completely and totally disable garbage like this, is just not possible on the Chrome ecosystem. Wow. One step closer to a free and open internet aye folks? Make no mistake, I have nothing against the Brave devs and I otherwise love this browser. Yet at the ass end of 2024, not having a way to disable this kind of thing is just plain Orwellian at this stage. |
Please, on behalf of all of us. WHEN WE TURN THIS OFF, TURN IT OFF FOR REAL. |
Enough people here have tried the "nice" route. EDGE at this point is less restrictive and more user friendly out of the box than brave.... EDGE... Again, We don't need hand holding |
I don't think UNSECURE is an official word. INSECURE just means not sure, not certain, or not adequately protected. The word itself isn't intrinsically tied to someone's mental state anymore than the word blue is. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Staight from the Oxford dictionary my friend Here's insecure FYI, this bit was more tongue-and-cheek but after getting bombarded with this popup whenever I try to download handfuls of .pdf files, I felt compelled to have a stab at how stupid the wording is on top of everything else. Another amazing find today. I'm able to download multiple .exe files from an HTTP unsecure connection that is served through an app on my phone, giving me access to my phone's storage. Without being prompted that these .exe files could be dangerous. So...
Wow yeah... this is definitely working as intended. It's absolutely time to do away with this garbage "feature" that seems to do absolutely nothing good. There probably hasn't been a single person that this has actually helped. Everyone just clicks "Keep" anyway. At the very least let us turn this off, even if you have to break the Chromium base apart with a crowbar to do it. If you can bake a crypto wallet, torrent downloader and AI assistant into Brave, please get rid of this stupid popup. |
Given that you are such a professional, are you absolutely sure it's HTTPS? What does it say for this file for example? https://us.download.nvidia.com/Windows/561.09/561.09-win11-win10-release-notes.pdf I have Safe Browsing disabled and for me this PDF is not being blocked by Brave.
Unsecure isn't a word despite what that Google AI generated dictionary excerpt based on AI generated Google SEO gaming fluff being indexed is telling you. Insecure on the other hand quite literally means "not safe" in Latin so if anything, you can argue for it to be replaced by "unsafe" if you are such a word purist.
Straight from the lying LLM mouth my friend:
Then stop using Brave and use Edge instead of harrasing people here. |
That's an AI generated blurb and AI hallucinates BS all the time. There's quite a number of articles debating "insecure vs unsecure" in Google search results — they are probably skewing the answer by giving the "unsecure" word some statistical validity in ranking. TL;DR — see the screenshot I posted from ollama3.1 model above, it first claims unsecure is a word, then when I confront the answer it admits it's not a word according to dictionary. Likely the training data was poisoned (or better said, it wasn't vetted for correctness). |
Maybe we should get back to focusing less vocabulary wanking and more trying to determine how we can make it so that the browser isn't stepping on me when I try to download a .deb package on my linux box, after I explicitly told I don't want it to protect me. |
Just use an extension, policies, and/or Native Messaging and be done with the matter. Then you don't have to ask maintainers to do or not do anything. You implement the strategy yourself. |
While Chromium is arbitrarily popping up download warnings Who asked for that? Chromium decided to download How about block "AI" marketing on every surface known to humankind? Too funny. |
Guys we have a couple of options to making this a reality, and also
changing other things that we want. It's obvious that Brave won't do it
themselves.
I know a bit of coding, and there are people I'm sure reading these
comments that also know coding. Who is interested in joining a group of
people who know at least some coding and can build an extension or fork? We
have 2 options, #2 is likely what we will have to do, but maybe not. We can
put together a Discord group and review options together and decide.
1. Build an extension that overrides this default behavior. A flag or
option created/modified by an extension should be fine. Manifest v3 will
break this, and I don't know if v2 will allow, haven't researched it yet.
2. If an extension won't work, maybe a patcher, or our own Brave builds.
GitHub automatic build actions ***SHOULD*** be able to ***automately** *build
a Brave, and we can replace the updater to point to our repo. Isn't Brave
completely open source buildable by anyone? The heart and inspiration of
the Chromium project insists that all forks are automatically buildable and
automatic GitHub actions should not break on code changes.
As long as Brave follows this rule then we should be able to create
automatic builds that run every time Brave makes changes, or on a weekly
basis, with instant builds on high priority security patches. It can build
automatically in GitHub Ubuntu containers for any architecture and it's
**free**. If anyone is interested and knows anything about coding, then
let's get together and do this!
…On Fri, Oct 4, 2024, 6:58 PM guest271314 ***@***.***> wrote:
While Chromium is arbitrarily popping up download warnings AI is now
shipped in Chromium Version 131.0.6746.0 (Developer Build) (64-bit),
defined on the global object.
Who asked for that? Chromium decided to download AI for you...
How about block "AI" marketing on every surface known to humankind?
Too funny.
—
Reply to this email directly, view it on GitHub
<#28917 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BCWSIQDXCPC645BC4H5ZP3LZZ42S5AVCNFSM6AAAAAAVRIG45GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJUHAZTOOJWGY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
@MNLierman I already created such a Web extension and shared it here #28917 (comment). Specifically for downloading and creating directories without any prompts or user-activation permissions requests. Somebody marked it as off-topic. MV3 is not a challenge to bend to the will of the programmer. |
Description
Downloading .exe files now prompts for every file "This type of file can harm your computer" dialog (keep/discard).
Safe browsing is set to "No protection"
Steps to Reproduce
Download any .exe file from which ever site
Actual result:
As safe browsing is set to disabled AND this did not happen in the past something has either changed or is broken.
Expected result:
File should have been downloaded without being interrupted by the Keep/Discard dialog.
Reproduces how often:
100% over multiple machines
Brave version (brave://version info)
1.48.171 Chromium: 110.0.5481.177 (Official Build) (64-bit)
Version/Channel Information:
N/A
Yes
Other Additional Information:
No does not produce in Chrome.
Miscellaneous Information:
The text was updated successfully, but these errors were encountered: