[sp332]

If you type in facebook.com, your browser will use HTTP by default. The login page will redirect you to HTTPS, but it's too late, you're MITM'd. The attacker makes the HTTPS connection instead, and serves the page to you over HTTP. You put your username and password in and send it back to the attacker in plain text. The attacker sends the data to Facebook via HTTPS, decrypts the response, and sends it to you via HTTP. It's called sslstrip. http://www.idcloak.com/learning-center/faceniff-SSL-Strip-fa...

[hrasyid]

Don't browsers typically verify the identity of a HTTPS page and warn you if something is not right?

[sp332]

Right, but in this case your browser never sees the page over HTTPS. The attacker makes the secure connection, and feeds you data over an insecure connection that they can see.

  You <-(HTTP)-> Attacker <-(HTTPS)-> Facbook