This morning, I installed the HTTPS-Everywhere extension on my Firefox browser. Then I flushed all private
data and started the HTTPFox request tracer.
I then typed www.facebook.com in the URL bar and entered my credentials.
Here is what HTTPFox saw:
(click for big version)
Then I installed Force-TLS. I configured it as follows:
Force-TLS configured to force HTTPS access to *.facebook.com
And here is the HTTPFox capture made with Force-TLS enabled:
I am surprised by these results. Can someone comment on this or try on your own system and confirm?
Following David's comment, I sharked the traffic. The HTTP request did not appear, as expected when we see the "cached" attribute in HTTPFox's log.
Reading the response header from the request #00:27.967 (first capture) indicates the presence of a hard-coded redirection to an HTTP address, even when the user has specifically chosen HTTPS for accessing Facebook.
This led me to observing the default behavior when both extensions (Force-TLS and HTTPS-Everywhere) are disabled. In this setup, traces indicate that by default, Facebook explicitly redirects the user outside the HTTPS protocol even when it is explicitly requested by a manually typed URL starting with "https://".
My error: before starting the test, I assumed that the user would not be explicitely kicked out of the https link. I should have done this test first as it made all further analysis completely useless... :)
(thank you David for your comment)