Hi,
A recent security scan by our company security team revealed that Oxygen is sending clear text passwords to easyDITA.
If you're accessing the server via HTTP with basic authentication, then you should know that this is the norm, password is either in clear text (or base64 encoded, if digest is used, but is never encrypted). It's not something that Oxygen does wrong, this is the actual standard for basic authentication for HTTP.
If you are using the server across the Internet and packet sniffing is a concern (clear text password can be exposed), the server should be configured to only accept HTTPS connections. Do note that, for this particular concern, it is sufficient to use HTTPS, preferably with a server-side certificate from a proper authority, with password authentication. In this case the password is also sent within the encrypted SSL connection, so it's no longer subject to packet sniffing.
I have read some other posts about this same type of issue, so I wanted to add my name to the list of people who would like to see Oxygen add support for certificate-based client authentication over SSL/HTTPS.
I've logged another vote for implementing support for HTTPS with certificate-based client authentication and mentioned your concerns on our issue tracking tool.
Until we support certificate-based client authentication in Oxygen, I would recommend using at least HTTPS with password authentication.
Regards,
Adrian