The Case of the Mixed Content

Recently a problem came up with some required training hosted on our Learning Mangement System.   Users would receive a warning “Only Secure Content is Displayed”.  While users could click ‘show content’ they received an error message ‘unable to connect to LMS’.   They could watch the training video still, but were not shown as completing the assignment in the LMS.

Mixed content refers to websites that contain some elements in HTTPS and other elements in HTTP.   An attacker could replace elements presented in HTTP, compromising the security of your computer and your access to the “secure” website.  Microsoft has an extensive writeup on IE9 and mixed content here.You would expect that upone clicking ‘show all content’ that the LMS presentation would work correctly.   But in this case the reload of the page to add the insecure content appears to have broken some sort of connection, probably authentication.

To troubleshoot this issue, I installed Fiddler, and enabled SSL description.   I then recorded traffic while reproducing the issue.   I was able to quickly determine that the HTTP content was a call to Google Fonts.   I then searched the Fiddler logs to determine which file included code with this call.    The change was tested and implemented with no further issues.   Microsoft summarizes the steps in this article.   To that I would add you need to enable SSL decryption in Fiddler, and may need to install a plugin to decompress content.