Does that mean when I login anyone can capture my credentials?
It's my understanding that the login credentials are not sent as plain text, even though the connection itself is unencrypted - the userid is a numeric reference and the password is hashed. However, if someone was able to capture the packets sent from your device to the pprune server, they could capture those elements and possibly use them to forge an authentication response. But they probably have better things to do.
SD