I have a website that used to work only over http, so since the connection was not secure, I used a CHAP authentication scheme to make logins more secure (even if the passwords were hashed, those hashes would have been sent in the clear otherwise, and could be intercepted to login with them, so using CHAP prevented that).
Since some time we're using https, so connections are encrypted. Isn't it redundant to keep using CHAP or is it still a good idea to keep using this scheme? (even if it makes logins a little more complicated, since you need the first step of getting the "challenge string" before the users send their login details, then concatenating and re-hashing the password string in the client before sending to the server).
My question arises because I'm going to develop an API which uses this website's database for the login information, and I don't want to make it more difficult than necessary for users of said API.
