I'm serving a self-hosted network both over SSL (https) and directly (http). I'm running Jetpack version 2.5 on WordPress 3.7.1. I have the jetpack-comments plugin enabled.
Visiting any page on which a comments box appears causes Firefox v25.0 to show a mixed-content warning. A similar warning probably appears in other browsers too (I haven't tested any). An example of this warning can be seen on this very page currently (https://wordpress.org/support/plugin/jetpack)!
I used http://www.whynopadlock.com/ to investigate the cause of the warning and it reported the following:
Insecure URL: http://s.skimresources.com/js/725X1342.skimlinks.js Found in: https://jetpack.wordpress.com/jetpack-comment/?blogid= <snip>
I viewed the source of the page on which the tool said the insecure URL was included and found the following code snippet:
I've confirmed that this resource is also available over SSL currently:
I've worked around similar WordPress issues by using webserver output substitution-rules to rewrite http:// URLs as https:// when pages are loaded over SSL, however this resource isn't served from my domain so I can't do that here. I don't want to force my visitors to use SSL by changing the site root scheme to HTTPS or by rewriting unencrypted incoming requests. The site should be available either encrypted or unencrypted.
I've worked around the problem by disabling jetpack-comments for now. Would it be possible for a plugin author to change the scheme by which this resource is fetched to SSL (https), either all the time, or just when the plugin includes code on an otherwise encrypted page?
If I've made a mistake somewhere I'd be grateful to anyone who can point it out. I'd be happy to help investigate further if we need more information to get this fixed.