Correct, unless you implement some form of custom authentication, passwords and usernames are sent in clear-text when logging in to Confluence.
SSL for the win :-)
Someone else can step in and correct me if I'm wrong, but I decided to explore this a little. However, it's very possible I do not understand how auth works with Confluence (or with servers in general), so take this for what it's worth (almost nothing).
If you request the admin URL:
http://yoursite.com/confluence/authenticate.action?destination=/admin/console.action
Now turn on your network monitor (in my case, I used Chrome's Network tab), enter your password, and click "Confirm".
Then look at the request, it looks like it is NOT encrypted. Here's a dump of my request. The password is in the form data, in plain text:
Request URL:http://yoursite.com/confluence/doauthenticate.action Request Method:POST Status Code:200 OK Request Headers Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding:gzip,deflate,sdch Accept-Language:en-US,en;q=0.8 Cache-Control:max-age=0 Connection:keep-alive Content-Length:82 Content-Type:application/x-www-form-urlencoded Cookie:confluence.browse.space.cookie=space-pages; <snip> Host:yoursite.com Origin:http://yoursite.com Referer:http://yoursite.com/confluence/authenticate.action?destination=/admin/console.action User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5 Form Data password:PASSWORD authenticate:Confirm destination:/admin/console.action
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.