No mixed content warnings here though. The ISP is editing the login page to include JavaScript that posts the password back, seemingly, to Facebook at http://www.facebook.com/wo0dh3ad. Being a man in the middle, the ISP can capture all requests to this non existent URL and harvest the passwords. The browser can't suspect a thing.

Also why the entire login page needs to be served via SSL.

and surely the entire site, if you want to avoid session hijacking.

(and after that, all the government needs to do is require an ssl signing authority to be used by all tunisian banks, and it's back in!)

There is no such thing as Security - only the illusion, that too of Selective, Government Controlled Security :)

Also why real companies need to be much better about not ignoring them on poorly written https pages that refer to http assets.