Facebook, Tunisia, and Online Security

The Atlantic has an article about how the Tunisian state allegedly tried to steal an entire country’s worth of Facebook passwords:


Though [Facebook's Chief Security Officer Joe] Sullivan is the unflappable type, the Tunisian situation seemed to force him into a bit of reflection. “When you step back and think about how Internet traffic is routed around the world, an astonishing amount is susceptible to government access,” he noted.


Like most popular journalism on such themes, the technical details are inaccurate (an ISP ‘keylogging’, and being defeated by HTTPS?). But close enough. A disturbing issue for me is the claim that Facebook, which contains so many personal details for many of us, allows – and defaults to – logging in on a non-HTTPS webpage. Can that really be true? Surely this is another inaccurate technical detail. Surely?