This morning, I installed the HTTPS-Everywhere extension on my Firefox browser. Then I flushed all private data and started the HTTPFox request tracer.

I then typed www.facebook.com in the URL bar and entered my credentials.

Here is what HTTPFox saw:

(click for big version)


Then I installed Force-TLS. I configured it as follows:

Force-TLS configured to force HTTPS access to *.facebook.com


And here is the HTTPFox capture made with Force-TLS enabled:


I am surprised by these results. Can someone comment on this or try on your own system and confirm?

EDIT-2010/10/30
Following David's comment, I sharked the traffic. The HTTP request did not appear, as expected when we see the "cached" attribute in HTTPFox's log.

Reading the response header from the request #00:27.967 (first capture) indicates the presence of a hard-coded redirection to an HTTP address, even when the user has specifically chosen HTTPS for accessing Facebook.

This led me to observing the default behavior when both extensions (Force-TLS and HTTPS-Everywhere) are disabled. In this setup, traces indicate that by default, Facebook explicitly redirects the user outside the HTTPS protocol even when it is explicitly requested by a manually typed URL starting with "https://".

My error: before starting the test, I assumed that the user would not be explicitely kicked out of the https link. I should have done this test first as it made all further analysis completely useless... :)

^{(thank you David for your comment)}