Our current auth system on master is outdated and cumbersome. Something like OpenID Connect (not the broken OpenID 1.0, of course) would make a lot of sense for us.
The current posttohost() function used in various places to post stuff back to master does not support SSL. Rewrite this using internal streams and once done fix the master config to not accept anything over non-SSL.
Barring a quick OpenID Connect implementation as per above, clean up password handling on master to not use crypt/md5.