It has just occurred to me that when my Flex application does a ChannelSet.login, it is essentially sending the username and password over the wire in an unencrypted form to the BlazeDS server. While I use the binary AMF protocol over an AMFChannel, it would take nothing for somebody to sniff these passwords.
Most of my clients do not want to run their application on an https (SSL) protected site. So what is the best way to do this? I use Spring security on the backend to do authentication.
Should I encrypt the credentials myself before calling login? I guess then I would need to know the server-side encryption algorthym.
Thoughts?