As todays IOT devices flood the home networks, I find it more and more disturbing to connect every client via an unencrypted tcpip connection with user credentials transmitted in the open. Every device on the network is able to capture those credentials and transmit them somewhere.
Your credentials are not being passed out in the open unless you have enabled a Basic authentication -- the Indigo server uses Digest authentication by default which isn't going to send your password in plain text across the network. So no other devices are going to be monitoring and capturing your password.
I think at least a ssl connection would be standard nowadays.
I do agree that adding SSL would be good, though this would only protect things calling back into Indigo, do you really have that many IoT devices making a connection TO Indigo? Maybe you do, not dismissing that, just mentioning because most plugins reach out from the Indigo server and having SSL there would not be beneficial in that instance.
So are there any plans to do it? Is there any workarround that I am not aware of?
There are workarounds, but they are not that easy and not a quick solution. Look, for instance, in the forum for "Reverse Proxy" and you should see some setups and examples. Obviously using the Reflector service provides an SSL connection from the outside as well.
Note that I am not disagreeing with you by any means, I agree that SSL would be nice to have - encrypting the traffic itself when possible (even if passwords are not in it) is definitely a good thing. Just providing a little more insight...
Adam