>You're saying that communication is secure or just the authentication is secure after which is plain text communication?
If you're using Windows Auth, Windows passes an authorization token which is encrypted and by itself useless. So auth is secure even without encryption.
My point is that if you're passing sensitive data you shuold always encrypt it. I think that if you require authentication to access a Web Service it seems logical that the data is sensitive <g>...