Linking to a
http:// url from a secure site is no problem, no need to change anything there.
The images / photo's grabbed from Facebook use a protocol-relative URL so they will automatically switch to
https:// if the page is viewed through HTTPS.
I just took a quick look at what the problem might be then and discovered that the link previews are sometimes in
http and sometimes in
https. Haven't figured out yet what caused this.
Disabling link previews will most likely fix it for now. In the meantime, I'll try to discover how to work around this.
PS. You can disable link previews in the widget settings or by passing
show_link_previews=0 to the shortcode.
Hope that helps!