All data sent to clients over public links should be considered “tainted” and all input should be rigorously checked. SSL will not solve problems of authentication nor will it protect data once it has reached the client. Consider all input hostile until proven otherwise and code accordingly.
base64encoded strings, instead the server provides digest for the client to use while encoding the username and password. In digest base auth we no longer have to worry about universally known base64 encoded string.
Note: This doesn’t mean it is ok to send passwords over non-HTTP network, it provides just a safety net if you do so.