What is HTTPS?
HTTPS stands for HTTP Secure. With HTTPS pages, encryption is added to requests sent and received. It has three main benefits:
- Authenticity – the browser checks that it has opened the correct website.
- Data integrity – the browser can detect if an attacker has changed any data it receives.
- Secrecy – the browser can prevent an attacker from eavesdropping on requests, tracking websites visited, or stealing information sent or received.
What is mixed content?
If you are using a Moodle site where all pages are HTTPS and you link to a video that is on a HTTP page, then this is an example of mixed content and the connection will be only partly encrypted. Mixed content weakens HTTPS as these requests are vulnerable to an attacker eavesdropping on a connection, and seeing or changing the communication.
How to avoid blocked content
Unfortunately you are unlikely to notice mixed content until it is too late and you have clicked through to a blocked page. Read on for advice about how to view blocked mixed content if this happens.
If you are responsible for creating and maintaining online content, now might be a good time to review links within your secure pages to ensure that you’re not inadvertently frustrating your readers by sending them to http:// pages and therefore blocked content. Then, where possible, link to https pages instead. You may also like to let your readers know what to expect – and what to do – should this happen. No surprises!
How to view blocked mixed content
By default, mixed content is blocked in Internet Explorer 10+, Firefox 23+ and Chrome 21+. When mixed content is blocked, you will see a blank page or ‘Only secure content is displayed’. This can be frustrating, especially when we’re in a hurry. Try this next time it happens:
- Go to the top of the page, left of the address bar, and click the shield icon
- In the pop-up window, click the down arrow next to ‘Options’, and click ‘Disable protection for now’.
- Click the shield icon on the right side of the address bar
- In the icon dialog box, click ‘Load unsafe scripts’.
- Go to the bottom of the screen, and click ‘Show all content’.
Keen to learn more?
Good old Wikipedia offers comprehensive information about URI, TLS, TCP/IP, certificate authorities HSTS, SSL, stripping and much, much more. And I might get around to writing on each of those topics one day.