Chrome blocking and marking digital downloads as dangerous

[DCDR]

Hello All!!

I hope you all are well and safe today. Just yesterday I started receiving an error message on my digital download when using Chrome stating it was dangerous and blocked. It had been working fine for months up until then. I have deleted and re uploaded the file many different times in many different ways Changing the tile, combing the zip file into one pdf, etc.). It's a pdf zip file. I'm sure you can imagine how negatively that would impact our business if customers paid for and couldn't open the file. Thankfully we caught the error and have just removed the file until the issue is fixed. I appreciate your help in this matter. Squarespace has only stated it's an issue on my end, but it happens on multiple computers from different people and only on Chrome. If it is an issue on our end, why did it suddenly just start? At any rate, I don't care who is at fault, I'd just like a solution if anyone has one. I've tired renaming the file using underscore as seen in a June 2022 https://forum.squarespace.com/topic/221140-please-help-zip-files-purchased-from-our-store-are-unreadable/ post thread, but without success. Thank you all so much!!

[rejamison]

+1, I've just encountered this issue as well after someone purchased a digital download which was packaged as a ZIP file from my site.  

[sussexseamstress0603]

Same issue here - got multiple customers today saying that zip file downloads are being flagged as dangerous and they can't download them! What a nightmare! Is this something Squarespace has done? Literally started happening today, been fine for years.

[sussexseamstress0603]

Same issue here - got multiple customers today saying that zip file downloads are being flagged as dangerous and they can't download them! What a nightmare! Is this something Squarespace has done?

[creedon]

I would say this is a client side issue. If this is all happening on Chrome recently. I suggest a recent update to Chrome with a more cautious stance on Zip files. Zip files are a large vector for viruses, malware, and etc.

People willy nilly download zip files, extract the contents and execute the code inside, having no idea what they are doing and just because someone on the internet told them to. It is a big problem. You can't blame the web browser for being more obvious about potentially dangerous files.

If this is a new browser behaviour you will need to educate your users on how to deal with this erroneous warning message and how to get around it.

[creedon]

Now that you (royal) mention this behaviour. I seem to recall Chrome did rejigger their download behaviour in the browser recently. That new download inbox icon on the toolbar as opposed to the previous UI. There were also some changes to the security settings also.

[sussexseamstress0603]

I appreciate you responding, but there is no way we can run a business like that! If ran a sandwich shop and every time someone bought a sandwich the packaging locked and told the customer they might get food poisoning, I don't think me having to educate them that it's really fine and to just bypass the warning is going to get me good business or a good reputation, and I'll have to deal with that on almost every sale since chrome is by far the most popular web browser. I'm having customers genuinely say WTF? and assuming we're some shady, unsafe website. It's only a matter of time before we start getting customer reviews mentioning this!

Given that squarespace only let's us sell a single digital file, we have no choice but to compress multiple files into an archive, and zip is by far most accessible & popular archive format. If they allowed us to upload multiple files (with an total sum filesize limit) then this would resolve the problem as we wouldn't need to use zip files at all (this is what Etsy does, for example) - this would be by far the best solution, already we have some customers don't know what a zip file is either and this causes customer support issues by itself. 

I don't know if other archival formats (.rar etc) will trigger similar warnings, but those are far less well known and less widely supported without having the end user download addition software to un-archive them, which isn't really acceptable for a business either.

[sussexseamstress0603]

A temp "solution" for fellow business owners having this problem:

The best solution I can come up with for this is to edit the download notification email that customers receive when purchasing a digital file and adding a "Google Chrome Users - Please Read" section that notes that this warning can appear when using chrome, telling them how to bypass it, and trying to re-assure them that our downloads are safe, and that this warning does not mean that any kind of virus or threat has actually been detected.

Just sharing this in case it helps anyone else. I also added a section to our FAQs covering the same thing.

Not everyone will read these notes but hopefully some customers will catch them and it will reduce customer support calls to some extent. This would be far less of a problem if chrome's messaging around what is basically an "are you sure?" warning didn't sound so apocalyptic.

[DCDR]

Wow, it's good to know it's not just me, but sad to know that we are all experiencing this issue. I agree that having a download flagged as dangerous isn't good for business as @sussexseamstress0603  stated and that we shouldn't have to do that. I also agree that Squarespace should let us upload more than one file per download. While I appreciate @creedon input, we can't blame customer behavior (although mindful downloading should be a thing). I've shared this issue with Squarespace and hope they will take our plight seriously...although history doesn't support that happening, I can still hope!! As for the instruction/warning @sussexseamstress0603  mentioned, I'd added that message to the download page, but even I thought if I saw that on a website, I'd think twice about purchasing. It just sound shady. 

 

[DCDR]

Response from Squarespace: 

Deb L. (Squarespace) Hello again,   I just wanted to follow up and confirm that this is an issue on Chrome's end after further investigation. Google has intensified security measures for .zip files downloaded through Chrome. This move isn't specific to Squarespace or your store but is rather a blanket security measure. Google aims to protect its users from potential threats, and given the prevalence of malicious entities using .zip formats to distribute malware, it appears they've chosen to flag all such files as a precaution. It is a fairly recent development and, sadly, is outside of our control.   While it can be frustrating for legitimate sellers like yourself, it's essential to understand that this is a generic warning and not a reflection of the content you provide or the integrity of our platform. We recommend reassuring your customers about the safety of your downloads and encouraging them to use updated security software on their end for further confidence.   As an alternative, you can consider using a different format. For example, instead of using a zip use a pdf instead. That .pdf could then contain a link to the actual file. I understand this is not an ideal solution, but it is one possible solution with this Chrome change.   Let me know if you have any further questions, Deb L.

[sussexseamstress0603]

Thanks so much for sharing that response from Squarespace @DCDR. While I understand their suggestion of using PDF instead - that isn't an option if you need to sell multiple files (as we do). Also, it's a very temporary measure, as since the original post I've learned that the roadmap for files that Chrome will be blocking in this way in scheduled to include PDF's in the next update. Eventually it's even going to include formats like PNG! So it's just a matter of time before almost all file downloads are blocked by default, making life much more difficult for legitimate sellers of digital products.

While I understand the need for protecting users, the current messaging around this from Google is the equivalent of "don't cross the road - you might die!". Everything in life has risks, and I feel the messaging & behaviour at the moment is way too fear mongering, rather than encouraging users to make an informed choice.

Although I'm sure you'll be able to download anything you like from the Google Play Store without any warnings at all.

[kirkroberts]

I had a colleague report today that they couldn't download a .zip file from the Squarespace site we are working on, but they could download a .zip file from Canva. Both with Google Chrome. So maybe there is something to the idea that there is an issue that Squarespace can make better.

I think the dire warning from Chrome is bad, but even worse is that there is no apparent way to see the warning and then go through with the download anyway (e.g. the "proceed anyway" button you might see when a webpage is deemed insecure). Expecting customers to turn off their security setting or use another browser is a non-starter. Big problem.

I think the solution we're going to go with is combining the two PDFs we had zipped into one PDF for download. Not bad in our case, but obviously won't work for everybody.

Edited August 18, 2023 by kirkroberts

[sussexseamstress0603]

Thanks for that info - I've heard similar things that some zip's/sites seem to get through the block and others don't. Squarespace are just giving the "not our problem" response, which although to some extent true, is a bit much considering they are hosting a platform that sells digital retail systems to its customers and these issues directly and negatively affect the customer facing operation of those systems.

We're very much on our own, which is a disappointing response as you'd hope that all us small businesses would greatly benefit from Squarespace having our back on this & at least engaging with Google about potential solutions.

I also have an Etsy site, and many of those products are also zipped PDF collections (since although Etsy allows multiple file uploads, it still limits them to 5 - we often need a few more as we offer the product in multiple formats, have instruction manuals, etc. but I'm sure 5 is fine for most sellers), but I've not YET had any customers encountering the same issue with that site. I posted a heads-up warning that this might start happening on the Etsy forums, but as yet no-one has reported this there, so I'm guessing that somehow Etsy doesn't seem to be being effected. (Is there some secret white-listing going on? I'd wager that digital Amazon products won't get hit like this).

Weirdly I've not been able to replicate this blocking on Squarespace myself. I ensured Chrome was updated to the latest version, on both PC and Mac, and was able to purchase a zip file from my Squarespace site with no problems. So that's a thing. It all seems very random who is affected right now.

Google have been extremely poor at communicating these changes that will have a major negative impact on digital product sellers, and it's unclear to me that they've offered any solution to the problems it causes, e.g. by recommending some alternative "safe" file type, or some way of getting files signed as safe (app-store like), or whatever. 

BTW: It is actually possible to get chrome to download the file without switching off safe browsing, but as you say, they don't give the impression that this is possible or offer the option in an easily accessible way. You have to go to the downloads list, and from there there is an option to "keep dangerous file" (yeah, it's really called that). This is the instructions we have to give buyers at the moment, which sounds just great, doesn't it? 

I'm having to manually send some files to customers via email, because they don't want or don't understand how to get around the blocking behaviour. They are of course receiving the exact same file via email, it just doesn't require them to skip a security warning. 

Worth noting that I had one customer encounter this download blocking behaviour, and when I directed them to the instructions for Chrome, they informed me they used Firefox... so that's interesting. I know a lot of browsers are based on Chrome, but didn't expect to start seeing this behaviour spread to other browsers (if that's what's happening - I've no idea)

Edited August 19, 2023 by sussexseamstress0603

[kirkroberts]

@sussexseamstress0603 I am probably going to be repeating things you've said or already know, but just in case...

Your ability to download .zip files from a Squarespace site through Google Chrome may be because you have somehow set the permissions for that site to Allow "insecure downloads" in Chrome's settings.

I totally agree it's frustrating when Squarespace (or any company/person) points the finger and says "not our fault", contrary to evidence out there.

For anyone hit by this issue you might consider uploading your files as if they are Links (just to get them into the file system) and then make a PDF with links to the "real" files. The PDF is the single file "product" you are selling and they are downloading. The customer then clicks on the links in the downloaded PDF to get the individual files. It's a workaround, for sure. Much better than having a "dangerous file" warning and all the problems and support headaches that come with it.

[HBear]

Hi

I'd really like to hear any solutions or workarounds to this. Thanks

I sell powerpoints and notes (pdfs) zipped in a file together as a single product. They have to be zipped to be uploaded to get under the squarespace limit.

I have about 150 products, so this change has wrecked the business overnight. I have put a message on the email that the download links get sent out in and when customers reply I am sending them the same .zip files via WeTransfer which seems to work fine for everyone. I sell to schools in the UK and they go back after the summer break in about a week - unless I find a solution before them I won't be able to keep up.

If anyone from Squarespace sees this I'd appreciate some advice other than the above response.

M

[paul2009]

On 8/11/2023 at 5:35 PM, DCDR said:

Just yesterday I started receiving an error message on my digital download when using Chrome stating it was dangerous and blocked. It had been working fine for months up until then.

On 8/11/2023 at 9:20 PM, sussexseamstress0603 said:

Same issue here - got multiple customers today saying that zip file downloads are being flagged as dangerous and they can't download them!

This doesn't sound like a great situation.

I don't have a solution for you, but I'm keen to understand more about when it is happening. If the root cause can be established, it will be easier to resolve - before it potentially affects everyone. It would be great to gather more information 🙂. For example, have you tested this with other zip files? Are you able to share links to files that trigger the download blocking feature?

The download blocking feature has been in Chrome for more than 18 months so I'd have expected to see this issue sooner if it were the sole cause. If the same products were being downloaded fine in June and July then, as @creedon suggested above, something must have changed, somewhere. I have no idea what that something is!

I know this isn't much help, but I have not experienced any issues downloading digital downloads from Squarespace yet, either using the button the Order Status page (that appears immediately after checkout) or using the download link that is included in the "Order....is ready" email notification.

Edited August 24, 2023 by paul2009

[bbh]

This is an incredibly unfortunate change that Google Chrome has made. Compounded by the fact that Squarespace seems to be taking a shrugging hands-off approach. So far I found the following things:

1. When I do "keep dangerous file" and force download the zip file from my test Squarespace digital goods emails and then add the very same zip file as an attachment to an email and send it to myself, Chrome lets me download the very same file without issue. But only because it is an "attachment" versus a zip file download link.

2. On this Squarespace support webpage for Digital Goods: https://support.squarespace.com/hc/en-us/articles/206540787-Digital-download-products Squarespace specifically told users to create ZIP files together because they do not allow multiple files per digital good product. Flipping their script now and telling us to put links in a PDF is a cop-out. I have over 700 items in my shop. By the time I switched them all over to a pdf with links in it, google will be preventing PDF downloads as well.

3. The attached screenshot shows that is indeed true, Chrome is not done yet, if users haven't already started receiving the same "blocked, dangerous" errors for downloading PDFs, they will soon. So the fact that Deb L. at Squarespace is suggesting users "just switch over to PDFs with links" is a sloppy workaround that is intended to generate busy work for us Sellers and gives them a way to skirt troubleshooting this issue, NOW.

4. This chromium blog post: https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?sjid=7166076896013057686-NA explains further what changes are being made. Since we are just Sellers and have zero ability to control Squarespace code, SQUARESPACE needs to work with Chrome developers to fix this for all Sellers on their platform. 

In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at security-dev@chromium.org. 

Posted by Joe DeBlasio, Chrome Security team

5. This link: https://support.google.com/chrome/answer/6261569 explains why downloads are being blocked and it is not all websites, just certain sites are being prevented from downloading zips. I can download random zips from other random sites but not my own Squarespace store. This can be solved and Squarespace has to do it.  This is a snippet that explains why some zip downloads are being blocked by Chrome.

Why the download was blocked. Your file download may be blocked for one of a few reasons:
We think it might be a malicious, unwanted, uncommon, or insecure file.
Malicious: You tried to download malware.
Unwanted: You tried to download a deceptive piece of software. This program, disguised as a helpful download, may actually make unexpected changes to your computer or device.
Uncommon: You tried to download an unfamiliar and potentially dangerous piece of software.
Insecure: You tried to download a file or program that wasn't secure but was started on a secure page. In some cases, you can choose to download anyway.

We've found that the website you tried to download the file from has been known to distribute malware

SIMPLY PUT, SQUARESPACE NEEDS TO BETTER. THIS IS AFFECTING THE LIVELYHOOD OF MANY SELLERS WHO PAY HANDSOMELY FOR SQUARESPACE SERVICES.

SQUARESPACE STEP UP, they are the only ones that can fix this for all of us digital goods sellers.

Contact Squarespace directly HERE: https://support.squarespace.com/hc/en-us/requests/new

Contact Chrome Developers HERE: security-dev@chromium.org 

Edited August 25, 2023 by bbh
adding reason squarespace needs to address this issue.

[paul2009]

27 minutes ago, bbh said:

By the time I switched them all over to a pdf with links in it, google will be preventing PDF downloads as well.

3. The attached screenshot shows that is indeed true, Chrome is not done yet, if users haven't already started receiving the same "blocked, dangerous" errors for downloading PDFs, they will soon.

The articles that you’ve linked aren’t applicable to this situation. At least not unless there’s a fault with the Squarespace server causing it to stop using SSL. They all refer to ‘insecure content’ - content downloaded over HTTP, not HTTPS.  Your Squarespace site should be downloading securely (using HTTPS) and so this documentation from 2020 doesn’t apply here.

Edited August 25, 2023 by paul2009

[bbh]

26 minutes ago, paul2009 said:

The articles that you’ve linked aren’t applicable to this situation. At least not unless there’s a fault with the Squarespace server causing it to stop using SSL. They all refer to ‘insecure content’ - content downloaded over HTTP, not HTTPS.  Your Squarespace site should be downloading securely (using HTTPS) and so this documentation from 2020 doesn’t apply here.

Paul, I don't know what is going on here. I am no expert, I am simply gathering the bits of data I found on the web about this issue and there is not much. I am grasping at straws trying to figure out why I have tons of customers all of a sudden emailing me and telling me that my files are "blocked and dangerous." Yes I actually did verify that I am using SSL in my Squarespace settings and my links seem to be generated from an HTTPS source but what if there is something else going on here behind the scenes with the way google is classifying mine and other Squarespace users websites all of a sudden? I didn't change anything on my end. This is something that changed in Chrome, something that Squarespace needs to solve for us paying customers.

Software also doesn't roll out as fast as a company may claim they want it to, nor do users update software in a timely fashion. Those reasons combined are probably why we are just NOW seeing the effects of software timed for a 2020 launch. 

Why can I download a random zip from this link: https://www.learningcontainer.com/sample-zip-files/ 

but not my own Squarespace website where my downloads have worked wonderfully for YEARS until this month?

Sure it might be a chrome thing but that doesn't take away the very important fact that Squarespace needs to address this issue instead of brushing off users with "oh just go make pdfs of all your links for all your products" THAT is NOT a solution.

Edited August 25, 2023 by bbh

[sussexseamstress0603]

Hey BBH. Thanks for putting all the research together in to one post. Maybe if enough people raise this issue on the support channels, something will get done, but I'm not holding my breath.

On the gmail issue - I think the reason that users don't get security warnings when downloading via gmail is that gmail actually scans attachments for malware. (Certainly on my laptop I see a message reading "Scanned by Gmail"), so if it passes this scan I think it is assumed safe. Although this in some ways suggests a work-around (rather than Squarespace giving people download links, just attach the files to the order confirmation email), I'm guessing (lots of guessing going on here), that email attachment size restrictions could be a problem?

Chrome doesn't do any scanning as far as I'm aware (maybe that's not possible?), so it just throws up it's hands and blocks anything that COULD be malware, which is where our digital products come in.

Given how widespread the types of files that will be blocked is going to be, I find it hard to believe that major digital marketplaces/retailers are going to be hit with this, so there must be some way of avoiding it.

For me, this is "security" taken too far. A lot of our customers are older (40+) people, and even now I have customers who refuse to click on ANY LINK at all, because they are terrified of getting a virus or being hacked or whatever. It's like they're afraid of leaving the house in case they get mugged. 

Obviously people need to be careful, and even the most savvy of us can get caught out by a clever scam, but blocking almost every file on the internet & issuing dire warnings - just in case - is a sledgehammer response to the problem.

Edited August 27, 2023 by sussexseamstress0603

[DCDR]

Hi all,

Wow, this thread has been on fire since I last checked in!! @sussexseamstress0603 I agree that the workaround is not ideal, a bit over the top by Chrome re:security, and neither is the response from Squarespace acceptable. For those who would like a "solution", what I did was upload my files to Google Drive, and put a clickable link in a PDF, with a detailed explanation for those who are weary or aren't tech savvy, that will allow my customers will get to access the files. I also tell them to contact me if they have a question and I'll just send it to them (not very productive time wise, but, ok). I also send out an email before they get the order explaining it again. Overkill possibly, but I don't want to lose customers. Again, it's not ideal, causes customers to work harder than they should and may cause some to leave negative reviews (I hope not). Squarespace could simply make life easier and allow multiple downloads to a folder, but alas, they are of the "It's a Chrome issue" and aren't offering to help in any way. If I was not already invested in over a year creating my store, I would definitely leave. I may still do so once the millions roll in!! I hope you all are successful, despite this headache!! Take care.

[DCDR]

PS-I forwarded the thread to Squarespace the other day to let them see the number of dissatisfied customers experiencing the issues...and they responded back to me in an email with a "solution"...and it was the same thread!! I had a fun time telling them it was a discussion I started and that they should really do better. I too, am not holding my breath. Talk about poor customer service (and not to bright either), lol!!!!

[TraciReed]

I've been having this issue with my customers the last few days and when I informed customer service that this was ONLY happening with my Squarespace-delivered files, not my files delivered via Dropbox or my site that uses XCart to deliver the same files, I was given the same canned message as above.

This is incredibly poor customer service on Squarespace's part and if it's not fixed ASAP, I'll be migrating my site to another platform.

[themysteryco]

Im having the same issue. I was supposed to launch a new product tomorrow and when I went to test it I received the dangerous file warning. Countless hours of hard work for a launch, just for this ridiculous error message for a legitimate product? I would also want to migrate my website and all the files. This is ridiculous. 

[themysteryco]

Also, isn't it a major security risk to have a random PDF with a link? (to what btw? a g-drive or dropbox) just out there? Part of the point of squarespace is the one time, 24 hour available link to prevent people from sharing and pirating your work without paying for it. I think that my only solution for the moment is to tell customers that they can't use Chrome to download the files and point them in the direction of this thread. It's embarrassing and unfortunate.