Actually no, they do inject code into the login pages. Here is the code injected into the FB login: http://www.hackerzvoice.net/node/105

It is not simply a case of sniffing traffic. They log what users input into the login form, via Javascript injection.

But login requests on Facebook do use SSL- if you use firebug on the Facebook homepage, the login form points to " https://login.facebook.com/login.php?login_attempt=1 ".

The issue seems to be that code is injected in pages that merely contained a login form: http://blog.rootshell.be/2011/01/13/tunisia-tracks-users-wit...

Even of the login form was submitted to a HTTPS url (which is the case), the fact that the login page was served over HTTP allows the government to inject the JS code, which will execute locally and retrieve the login and password inputs and send them via Ajax to another URL.

This is why any page that lets you login to a site must also be accessible over HTTPS-only.

Or any page that points to a page that lets you log in to a site must be accessible over HTTPS-only. Or any page that points to a page that points to a page... you get the idea. SSL everything, or you lose.