Is this a stab at the fact that there's no hashing? Or that the credentials are pointless when you could just generate a random url to authenticate, since the HTTP channel is encrypted anyway?