Comment 1 for bug 476480

Any kind of user authentication over unencrypted transports exposes passwords or at least hashes of passwords. Even in company intranets this is a potential security risk. Villains may use wireshark to record foreign branching operations and capture the whole content of a bazaar branch regardless of authentication information or anonymous read access.

If a company trusts it's intranet users they should use a public writeable bazaar smart server over bzr://. They are easily setup.