How do you want to do a MitM attack with a plaintext password send over HTTPS?!?
HTTPS protects in theory against MitM attacks not in practice.
Many programs (especially hastily codet bots) do not care about the
validity of a certificate. They also do not care if they are redirected
to HTTP. ARP spoofing and fake DNS responses in most cases are
sufficient to overcome HTTPS.
Also there is always junk in the trust chains, see eg:
https://bugzilla.mozilla.org/show_bug.cgi?id=724929Therefore I treat HTTPS from a certain level of security just as plain
text. Particularly to protect myself from my own stupidity. How quickly
HTTPS becomes HTTP. A typo or an insufficiently configured proxy can do
that in a second. Seen it all. See it every day.
Security has mainly to do with robustness. Although transport layer
security is basically safe, it is fragile in real life and it depends on many
factors, whether HTTPS is really safe.
On the other hand, that they don't support API keys restricted to specific functions (trade/withdrawal/..) is indeed a severe limitation.
Yes, this is really bad.