yep. they could have at least supported SASL to have the login info encrypted and then transport the rest of the stream unencrypted, but they did not.