Tell HN: Chrome says "suspicious download" when trying to download yt-dlp

Posted by joering2 3 hours ago

On a newest version, I attempted to download newest yt-dlp only to be warned of "Suspicious Download". No explanation what that means was provided.

216 points | 65 comments

asveikau 2 hours ago|

The heuristics powering this, as well as the Windows Defender whitelisting, are terrible.

My understanding is that a specific binary needs to become popular for it to stop being flagged. This creates a chicken and egg problem. Users are not incentivized to use the program with the warning. But removing the warning requires many people to ignore the warning.

This is a big problem for anyone writing Windows software. An indie developer or small open source project is not going to do well with this.

gruez 1 hour ago||

>My understanding is that a specific binary needs to become popular for it to stop being flagged. This creates a chicken and egg problem.

Given the recent npm axios compromise this sounds like a pretty smart move?

dqv 52 minutes ago||

How is it a smart move? Here, Microsoft is training users to ignore a security warning. If the same mechanism were added to NPM (that is, a warning that the package is suspicious and for the user to be extra sure they want it), users would have been trained to ignore any security warning issued for the compromised axios version (just like they had ignored it for all previous "clean" versions) and installed it anyway.

Frotag 1 hour ago||

Conveniently M$ lets you buy a signing certificate to fix this.

https://stackoverflow.com/questions/48946680/how-to-avoid-th...

pimterry 1 hour ago|||

EV no longer skips smartscreen either nowadays. I understand that was abused, so it's treated as the same as OV. Having a certificate allows the cert itself to accumulate trust (rather than each binary independently doing so) and provides better UX and I suspect an initial small boost to trust signal, but doesn't bypass the initial distrust. There's no way to avoid that AFAICT and even if you're an established business you hit it at intervals because all these certificates expire and so the whole process resets every few years anyway. What a mess.

gruez 1 hour ago||

>There's no way to avoid that AFAICT and even if you're an established business you hit it at intervals because all these certificates expire and so the whole process resets every few years anyway. What a mess.

Maybe have overlapping sets of certificates and dual sign your binaries? That way there's always an "aged" certificate available.

asveikau 1 hour ago|||

Last I checked they can still quarantine your binary if it's properly signed and they decided it hasn't gained traction.

john_strinlai 2 hours ago||

for what it is worth, when downloading the latest .exe from github, firefox says "this file is not commonly downloaded" and i have to select "allow download".

scans of it are fine.

probably just a heuristic-based false-positive, and not a news-worthy story of chrome abusing their monopoly or whatever.

ryandrake 7 minutes ago||

Do these little speed bumps even work? I have to admit I'm so numb to all these popups and to apps warning me this and begging me that, that I just don't read anything anymore. Each app that hits me up with yet another dialog is just another brick in the wall.

The only speed bump that I find super annoying is when your browser tries to prevent you from going to a site with an incorrectly configured certificate (or a self signed certificate). The UX browsers make you navigate in this case is extra-horrible. Apparently, my use of a self-signed certificate for some local machines means I'm about to die.

miki_oomiri 1 hour ago||

Isn’t firefox using Google “safe browsing” database ?

warkdarrior 1 hour ago||

Safebrowsing does not provide popularity metrics for downloads, to my knowledge. It only states whether a URL is malicious according to some Google checks. No amount of popularity would turn a malicious URL into a benign one.

jddecker 2 hours ago||

The binaries they offer are complied using PyInstaller, which can give false positives in anti virus software.

ddtaylor 1 hour ago||

Google has been anti yt-dlp before it was forked. They also have rules that carve out tools like this from their extension store and at Android, except enforcement is lacking sometimes.

Google is terrified of users having access users control to their video content.

nslsm 1 hour ago||

yt-dlp breaks YouTube’s DRM. They could easily get the repo removed under the DMCA. They don’t.

exe34 1 hour ago||

it'll just cause a lot more people to become aware of it and cause mirrors to pop up everywhere.

TheSkyHasEyes 1 hour ago|||

Why would a browser(be designed to) care about this?

gruez 1 hour ago|||

Because people download viruses from the internet all the time? "Common sense antivirus" might work fine if you're technically inclined, but that's not the case for everyone.

mrob 58 minutes ago||

The growing prevalence of so-called "supply-chain attacks" (a bad name because it implies a commercial relationship that doesn't usually exist) shows that "common sense antivirus" isn't working so well even among the technically inclined.

rcakebread 1 hour ago||||

Because Google owns Youtube.

thebeardredis 49 minutes ago||||

Because Google does no evol.

reactordev 1 hour ago||||

To protect the normies from harmful malware… not on their approved vendor list.

exe34 1 hour ago||

it's to protect shareholder value.

g947o 1 hour ago|||

You could also ask why Android care about banning side loading to "prevent scams and spyware", and I honestly don't have an answer at all.

mercatop 1 hour ago||

[dead]

cvhc 54 minutes ago||

I can reproduce when downloading https://github.com/yt-dlp/yt-dlp/releases/download/2026.03.1.... But it did provide a line of explanation:

Dangerous download blocked yt-dlp_win_x86.zip is not commonly downloaded and may be dangerous. [Discard] [Keep]

alsetmusic 2 hours ago||

Reminds me of how Bing search for Google takes people to a page meant to resemble Google.com. Can't trust huge companies.

But as others have pointed out, it's probably a coincidence in this case. But who knows.

ddtaylor 1 hour ago|

"Never let a good tragedy go to waste"

faangguyindia 2 hours ago||

It's funny such a big corporations can't let such a small tool live.

Google is such an evil company, it is not even provided anything great anymore.

Anti-gravity paid plans suck, GCP is billing heavy. Today google sucks at most things

Their Android playstore hardly updates statistics once a day, so much for such a big data company with unlimited sources lol

throwaway85825 1 hour ago||

Clear conflict of interest enabled by anti trust not being enforced.

fortran77 1 hour ago|

Firefox gives a similar warning.

exe34 1 hour ago||

it uses Google's shitlist

jacquesm 21 minutes ago||

And only exists because of Google.

ompogUe 2 hours ago||

So, Google's browser says downloading a tool to download files from Google's servers is "Suspicious"? Not surprising.

schiffern 2 hours ago||

By the same standard, Chrome itself is "a tool to download files from Google's servers." Chrome doesn't only download from Google's servers, but the same thing applies to yt-dlp.

I'm equally not "surprised" by their bad behavior, but that shouldn't stop us from condemning Google for unethically misleading people and engaging in browser monopoly abuse.

---

EDIT: holding up (hilariously) RIAA lawyers as ethical role models only proves my point, thanks.

Habgdnv 2 hours ago|||

Actually that is what they want you to believe. Behind the scenes, secretly Chrome is mostly "a tool to upload files to Google's servers" but because it does not require any actions from the user to do that, many people miss that part.

ddtaylor 1 hour ago||

Oops we accidentally stole, indexed and resold all your data. Sorry.

dryarzeg 2 hours ago||||

> Chrome itself is "a tool to download files from Google's servers."

...legitimately. While Google (I will reinforce: Google, not everyone) sees downloading of the videos and other content from the YouTube by third-party services as illegitimate because of YouTube's ToS. After all, they're making money from the YouTube Premium and "Download" option provided by it, so things like that are kinda expected to happen.

And no, I don't agree that it's right. While I can understand the position of Google, the method they (allegedly) used here... Well... I don't even know what to say. That's plainly wrong, in my opinion. After all, "download" is defined as "To transfer (data or a program) from a central computer or website to a peripheral computer or device." by The American Heritage Dictionary of the English Language (5th Edition), so when you just watch videos, you download them already, don't you? What about watching them in browser, somewhere in embed on some website? Does that constitute a legitimate client (I guess so, because most of embeds still use YouTube Player after all)? That just makes me laugh : )

waffletower 2 hours ago|||

I am sure that RIAA lawyers would rofl at this yt-dlp labelling being an example of Google "... unethically misleading people and (committing) browser monopoly abuse". I want to live in that fantasy world with you though.

ddtaylor 1 hour ago||

Come to our fantasy Linux land anytime you want. We circumvent all of the strange things both RIAA, MPAA, Google and many other companies do to attempt to lock information into a box with only one hole they allow you to look through.

Our fantasy land gets better every time your reality gets worse.

matheusmoreira 2 hours ago||

Which is why I download it from my Linux distribution's package manager. It's available on Termux too.

entropie 27 minutes ago|

Which in the case of yt-dlp might not be fast enough.

I use a telegram/mqtt/homeassistant wrapper (1) to let my mother download audiobooks which are saved in jellyfin so she can listen or download them from my (home)server.

Keeping yt-dlp up2date (and therefore) working is not that easy, especially since I dont systemupdate every other week. There were a few phases yt-dlp version in nixpkgs-unstable were just not working. I created a little wrapper that updates a venv so I always have the HEAD running for my bot.

[1] https://github.com/entropie/ytdltt

jesse23 2 hours ago|

`brew install yt-dlp` or `scoop install yt-dlp` :)

mghackerlady 36 minutes ago||

I suspect for M$ users you could even use winget (though I am unable to subject myself to Windows right now)

bigyabai 2 hours ago||

Yep. Never send a web browser to do a package manager's job.

More comments...