Index: /trunk/doc/manual/en_US/user_Security.xml
===================================================================
--- /trunk/doc/manual/en_US/user_Security.xml	(revision 36006)
+++ /trunk/doc/manual/en_US/user_Security.xml	(revision 36007)
@@ -28,6 +28,6 @@
           host remotely, connections to the web service (through which the API
           calls are transferred via SOAP XML) are not encrypted, but use plain
-          HTTP. For details about the web service, please see <xref
-          linkend="VirtualBoxAPI" />.</para>
+          HTTP. This is a potential security risk! For details about the web
+          service, please see <xref linkend="VirtualBoxAPI" />.</para>
         </listitem>
       </itemizedlist></para>
@@ -42,6 +42,7 @@
           <para>When using the VirtualBox extension pack provided by Oracle
           for VRDP remote desktop support, you can optionally use various
-          methods to configure RDP authentication. See <xref
-          linkend="vbox-auth" /> for details.</para>
+          methods to configure RDP authentication. The "null" method is
+          very insecure and should be avoided in a public network.
+          See <xref linkend="vbox-auth" /> for details.</para>
         </listitem>