Looking at many example scripts, the DDNS scripts send the user and password over http. Is the password encrypted or sent in plaintext and what about using https?
Regardless of whether the credentials are in the URL, or in the request headers (which is the case for HTTP basic authentication), they’re part of the HTTP request.
With that in mind, yes, if you’re using HTTP, the credentials are sent in plain text. If the DDNS service you’re using offers an HTTPS equivalent, you can use that one instead. HTTPS encrypts the whole HTTPS request and response, so the credentials are safe.
so if https is supported i just use mode=https and in the url i use https:// ?
Yes.
Though you don’t need to specify mode=https, that’s inferred from the URL.