Presumably a Tunisan blogger may be "paranoid" enough to notice.

When it's your your password on the line (and possibly your ass in jail) data security is more than aggregate statistics.

Err, well, I'm pretty sure they could have logged in via HTTPS all along by just manually typing in http://www.facebook.com

If the URL starts with "http:", the attacker gets to decide which parts (if any) are going to be sent HTTPS.

Sorry, either either the autolinker or I screwed up that post. My point was that if people cared about security, they could have been visting the facebook login page by manually typing HTTPS in the first place.

True.

I don't use FB, but someone on Slashdot was saying it likes to reply with every link going to http anyway. Based on my experience with Twitter and other sites, this sounds very plausible.