Which means next to nothing if the page with the login form isn't encrypted. A man in the middle attack would just replace the Facebook login page, and the user would likely never notice.