A few days ago Facebook offering the option of completely SSL encrypted communication. This security feature is disabled by default and a script kiddie could sniff your session cookie and use it to take over other people's Facebook accounts with tools like Firesheep. But a well versed Facebook user can find and enable the option for full SSL encrypted communcation.
Unfortunatly SSL encrypted communication does not work with all Facebook apps. If you click on a link to a Facebook app, Facebook asks whether you would like to switch to a "regular connection (http)". If you then continue, you land on an unprotected http website (like expected). But in the background Facebook disables the https option in your account settings without any further question!
The Firefox add-on NoScript (also part of the JonDoFox profile) offers an enforce HTTPS implementation. Add Facebook to your list of HTTPS only domains and HTTPS encrypted communication with Facebook will never be disabled.