I've set my login and admin to use SSL only by adding the following setting in wp-config.php:
define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);
However, when you have user and blog avatars, these are not delivered over SSL, which causes an error in IE and the site to fail security checks in Chrome and Firefox.
So, on line 1306 of avatars.php, I changed it to switch based on is_ssl():
$out = ( is_ssl() ) ? 'https://' : 'http://'; $out .= $current_site->domain . $current_site->path . 'avatar/user-' . $avatar_user_id . '-' . $size . '.png';
Hopefully you guys can add this to the plugin in a future update.