I think you outlined the two choices pretty well. The first method would be using Multiple Sites Based on Folder Names. The second method would be Multiple Sites Based on Host Names, and you'd use a wildcard SSL certificate. You'll just need to choose the one that best fits your needs. Be sure to look at the limitations section of the Folder Names option, since that may impact which way you go.

Jamie

Anything on the page (typically images, javascript, iframes or css links) that has src="http:// will cause the browser warning about insecure content on the page if the outer page is using https. For internal things you can just use relative urls like src="/

It is only src= that you need to worry about href="http: won't cause any errors because it doesn't load anything into the page like src= does.

For links to external javascript or images or css you must hope that they support ssl or decide to remove that from the page. The modern technique for linking to external resources is to do it without the protocol like src="//www.somothersite/someptherresource

// will make it use https if the containing page is using https or you can always use src="https:// since that won't cause any problems on pages that don't use ssl and will prevent problems on pages that do. But for some things https may not be supported and it is best not to use them. You can change them to https then use firebug network tab, if any of the fail to load using https then it is not supported and your only solution is to remove them.

I know Chrome is the worst about showing the red slash even on other pages after you visit any page with insecure content. Most thing built into mojoPortal are designed to use https if the page is using it. I changed not long ago from using IntenseDebate comment system to using Disqus because Disqus has beeter support for https. But just a few days ago I started seeing the red slash in Chrome pon this site and it was caused by a change in Disqus, I had to contact them and they fixed it for my account so this site should be fine on all pages now.

So you need to go through each page where you see the browser warning and inspect the html for src=:http:

You may need to use Firebug or browser tools to find them because sometimes additional non-secure javascript is loaded by other javascript that is using https.

These days it is more important  than ever to use SSL and you should use the config settings to prevent cookies from being passed when not using SSL as discussed in the article Use SSL. You'll notice on this site if you visit a page without https it appears that you are not logged in, that is because we have it configured to only pass cookies on secure requests, so as soon as you click the link to sign it it goes back to a secure page and if you were already logged in it sees your cookies again and knows you are already logged in.

Hope that helps,

Joe