We now use https by default for all Facebook users. This feature, which we first introduced as an option two years ago, means that your browser is told to communicate with Facebook using a secure connection, as indicated by the "https" rather than "http" in [the URL]
However, the http interface remains
Some mobile phones and mobile carrier gateways don't fully support https. While we're working with the vendors of these products, we didn't want to leave https off entirely for affected users.
This is regrettable because it leaves possible the sslstrip attack whereby a man-in-the-middle rewrites https links to http, and serves a similar looking page at the http url. The solution is the HSTS header which tells the browser to always use https for a given site.
The primary source for IP address data is the regional Internet registries which allocate and distribute IP addresses amongst organizations located in their respective service regions:
American Registry for Internet Numbers (ARIN)
RIPE Network Coordination Centre (RIPE NCC)
Asia-Pacific Network Information Centre (APNIC)
Latin American and Caribbean Internet Address Registry (LACNIC)
African Network Information Centre (AfriNIC)
Secondary sources include:
Data mining or user-submitted geographic location data. For example, a weather web site might ask visitors for a city name to find their local forecast. Another example would be to pair a user's IP address with the address information in his/her account profile.
Data contributed by internet service providers.
Merging databases from different suppliers.
Guesstimates from adjacent Class C range[2] and/or gleaned from network hops.
Accuracy is improved by:
Data scrubbing to filter out or identify anomalies.
Best Answer
As of July 2013, Facebook is https by default:
However, the http interface remains
This is regrettable because it leaves possible the sslstrip attack whereby a man-in-the-middle rewrites https links to http, and serves a similar looking page at the http url. The solution is the HSTS header which tells the browser to always use https for a given site.