[rhc2104]

But login requests on Facebook do use SSL- if you use firebug on the Facebook homepage, the login form points to " https://login.facebook.com/login.php?login_attempt=1 ". The issue seems to be that code is injected in pages that merely contained a login form: http://blog.rootshell.be/2011/01/13/tunisia-tracks-users-wit...

[rst]

But if the page containing the form isn't served through SSL, it's subject to alteration by a man in the middle --- which is what actually happened in this case. And users who don't "view source" every single time have no way to notice the difference before logging in (and precious little after, if the logger quickly resubmits to the real McCoy).

[staktrace]

And if the page that has the link to the login form isn't served through SSL, it's subject to alteration by a man in the middle to hijack the login page. And if the page that has the link to the page that has the link to the login form... you get the idea. Use SSL on every page, or you lose.

[by]

It is very poor security to teach your users to enter their passwords on HTTP pages. Even the small minority of technical people who check the page uses HTTPS when it posts the form do not check it every time they use the page.