First step for T102367 is to find unsecure resources.
How do we do this? Options I see:
- naively grep all the projects' PHP and JavaScript code looking for hardcoded http:// URLs;
- make a list of tools.wmflabs.org URLs and test them all for unsecure resources with a simple URL fetching script;
- set some dark magic JavaScript site-wide logging sending all such occurrences of unsecure resources to Sentry or something;
- some smart ruby mechanize crawler to test all the domain recursively.