Many of us do not realise that there are basically two ways that browsers can talk to web sites (or rather web servers). The normal mode uses is called
HTTP and the
much safer encrypted mode is
HTTPS. Normally logins (Gmail, Yahoo etc) and financial transactions (online banking), for example, are done in HTTPS to protect passwords and financial info etc.
Why does this matter? Unencrypted data can be intercepted enroute or when sharing a wireless network with others such as a public hotspot. Or when using an office or home wifi network which is not even password protected. In other words, in these circumstances and if you are using HTTP, someone could watch what you do and steal your password or bank card information. This could also happen via a computer in your network which had been compromised by a computer virus.
How do we know if the site is secure and using HTTPS? The web site address usually starts http://xyz.... but if it is secure it starts https://xyz....
The major mail websites all use secure HTTPS logins. Gmail goes further and uses HTTPS for the whole session including reading email etc.
Facebook does not use HTTPS even for logins and your password is more at risk especially at big public hotspots at airports etc.
However to make browsing on Facebook secure there is an option to turn on HTTPS - go to Account Setting, then Security, then edit Secure Browsing.
Why do sites not use HTTPS more? Because it is more work for the server (which means a lot more servers for a big operation) and takes money and time to set up. Is it 100% safe? No but you are fairly well protected.
How can you be even better protected? Use Linux instead of Windows. But that is another story...