In "Client Service Request," step 4, do the client and server encrypt requests to one another for the purpose of providing the service, or are service requests implicitly sent in the clear, and authenticated by IP address only? How much do the server and client have to worry about a middleman hijacking the session after the authentication process is complete?