A couple of month passed since Facebook introduced full SSL support. This optional feature lets you browse Facebook via a secure connection (https) whenever possible. Facebook via https is now available to all users and why are so few people using it? I suppose because the option is disabled per default. -> Enable this option!
SOPHOS How-To enable the Facebook HTTPS option.
They also provide a video How-To:
http://www.youtube.com/watch?v=JIXxXFbrmKA
Using Facebook without a secure communication puts your account data at high risk. First Firesheep and now Faceniff offer script-kiddie tools to hijack Facebook accounts over wireless. Research we conducted shows that unencrypted Facebook sessions are low-hanging fruits for large scale spam attacks. We published our first findings in 2010 (technical report), a revised version has been published in the current issue of IEEE’s Internet Computing.
Friend-in-the-middle (FiTM) attacks
In our article we present friend-in-the-middle attacks that extract social networking data in an automated fashion. The harvesting of data is possible because people do not use a secure connection with Facebook. We show that the extracted social data can be exploited for large-scale context-aware spam and social-phishing attacks. Our attack simulations on Facebook showed that an attacker could easily spam a high number of users with context-aware spam (e.g. spam that appears to be coming from a friend) in a short period of time (Over 300,000 spammed users with 4,000 unencrypted Facebook sessions we observed over two weeks).