I'd like to get some feedback from you fine folks. I haven't been around much lately - busy building my business, but am pushing myself to an area that I'm new too and would like to get some feedback.

I'm developing a REST web service. It requires authentication to interact with the service, so when a user signs up I assign them an API key, and API secret. I provide the REST client, which is a program installed into a CMS. The user has to enter the key and secret, along with their username into the client, and theoretically I have a two way authentication system. I have plans to actually alter it to OAuth soon.

My main question is how secure is this information while in transit from one site to another site? As a REST service, it serves information using XML. So everything is plaintext. The information is sensitive, so I could pass it over SSL. However its still plaintext, and thats not always an option for every website.

What kinds of things might I need to look out for? Obviously things like false requests and code injections, but anyone with more experience or knowledge in this area able to shed any more light on the topic?

Thanks!
Jeremy