HTTPS-Everywhere has some securecookie rules for WMF sites... I don't know if the "not secured by server" is necessarily correct, or was copied from elsewhere
<!-- Not secured by server: --> <!--securecookie host="^\.wiki(books|data|mediafoundation|pedia|versity)\.org$" name="^GeoIP$" /--> <!--securecookie host="^(?:www\.)?wikidata\.org$" name="^WMF-Last-Access$" /--> <!--securecookie host="^en\.wikipedia\.org$" name="^(CentralAuthAnon|mediaWiki\.user\.sessionId|uls-previous-languages)$" /--> <securecookie host="^(?:www\.)?mediawiki\.org$" name=".+" /> <securecookie host="^\.wik(?:ibooks|idata|imedia|imediafoundation|inews|ipedia|iquote|isource|iversity|ivoyage|tionary)\.org$" name="^GeoIP$" /> <securecookie host="^(?:[^@:/]+\.)?wik(?:ibooks|idata|inews|ipedia|iquote|isource|iversity|ivoyage|tionary)\.org$" name=".+" /> <securecookie host="^(?:species|commons|meta|incubator|wikitech)\.wikimedia\.org$" name=".+" /> <securecookie host="^wikimediafoundation\.org$" name=".+" />
I'm presuming this would be more of a MW bug (ie the site is only HTTPS, and we're not setting the secure flag)... But either way, we should look at dealing with it :)