Well, for one without SSL you also send the oauth token to log into chat unencrypted, which at least has chat access but possibly also other scopes associated with it. It could of course be revoked if someone unauthorized would get hold of it, but some damage could already be done.
1 Like