The documentation for the uploader also gives the example server URL with http, which is especially bad because that means the password can easily be intercepted. Luckily specifying https does work and makes it a bit more secure.
Nevertheless it would be better not to expose to password in the logs or any GET parameters (as this ends up in webserver logs, or proxies).