I thought about this on the weekend some more and I am now convinced that this
is a very serious security problem more than a functional bug.
Leaking the Credentials into SNI is presenting it to attackers on the network
in clear text as well as producing a Protocol violation that is most probably
logged on the server side in clear text. So we bypass the encryption during
transmission and with some reasonable probability create a permanent record of
the username and password by causing a protocol violation (admitted, this is
not httrack's fault really, but still serious).
I am quite surprised that I can not find this mentioned before in the forums.
Either this is some flaw with the version I am using (will check with the
latest source) or noone seems to use httrack for websites requiring
authentication via SSL and SNI.