Hi UserN,
communication over 3890 is not "secure" be default, for that you have the SSL port 6360 (which needs additional configuration to work). However things are not just that simple, saying "communication over 3890 is not secure" because:
- if you have both CCS Console, DS and AS on same machine, you do not need to worry
- If you have CCS Console and/or DS on different machine but in the same secure internal LAN, then note that even though traffic is not encrypted, authentication credentials are, because simple bind does not work for DS, you can authenticate only using secure credentials (your domain user name). Since rest of the traffic can be seen, for example assets when you search for them, that is not more insecure than the rest of the traffic on your LAN. Unless you do not trust your LAN or have specific regulatory requirements, you're fine.
- if you have CCS Console and/or DS on different machine and connection to AS is over untrusted network, then you do not think about "insecure" 3890 and immediately implement SSL.
The way I tested above is by connecting to CCS APP server (running LDS instance) from second machine using ldp.exe and sniffing traffic using wireshark directly on CCS APP. However real test would be having CCS Console on one server, CCS DS on another and CCS APP server on third machine and then sniff traffic on each to see if there is usable data revealed. However I'm not able to make such test environment, if you have resources to do that, I encourage you to, it will be great learning activity.