SyncEvolution sends Basic Auth in its initial request, to avoid round-trips. If http with Digest Auth is used, then this behavior exposes the credentials. SyncEvolution should only send Basic Auth over https.
See bug #56240 comment #4.
Fix is in master, will be in 188.8.131.52:
Author: Patrick Ohly <email@example.com>
Date: Mon Mar 4 07:05:56 2013 -0800
WebDAV: don't send Basic Auth via http (FDO #57248)
Sending basic authentication headers via http is insecure.
Only do it when the connection is encrypted and thus
protects the information.
The commit introduced a regression, fixed in this:
WebDAV: send Basic Auth via http in some cases (FDO #57248)
It turned out that finding databases on an Apple Calendar server accessed via
http depends on sending Basic Auth even when the server does not ask for it:
without authentication, there is no information about the current principal,
which is necessary for finding the user's databases.
To make this work again, sending the authentication header is now forced for
plain http if (and only if) the request which should have returned the
principal URL fails to include it. This implies sending the same request
twice, but as this scenario should be rare in practise (was only done for
testing), this is acceptable.