Bob is right, it's better to err on the side of caution, but I do not agree. Bob may be right in this case (see Details below), but the problem with his general approach is that he ignores the cost of paranoia. He leaves "peaceful dividends" on the table. I prefer Bruce Schneier's assessment that this is a compromise.
Short answer
Start replication now! Do not worry about HTTPS.
The greatest risk is not sniffing the wire, but your own human error, followed by software errors that can destroy or corrupt your data. Make a cue !. If you will regularly replicate, plan to switch to HTTPS or something similar (SSH tunnel, stunnel, VPN).
Justification
Is HTTPS easy with CouchDB 1.1? It's as simple as HTTPS, perhaps, or, in other words, no, it's not easy.
You need to make an SSL key pair, purchase a certificate, or start your own certification authority - you, of course, are not so stupid to self-sign! The user hashed password is clearly displayed from your remote couch! To protect against hacking, will you implement bidirectional SSL authentication? Does CouchDB support this? Maybe you need a VPN? How about the security of your key files? Do not test them in Subversion! And do not associate them with EC1 AMI! It defeats the goal. You must keep them separate and safe. When deploying or restoring from a backup, copy them manually. Also, password protect them so that if someone receives files, they cannot steal (or, even worse, change!) Your data. When you start CouchDB or replicate, you must manually enter the password before replication will work.
In short, every security solution has a cost.
A similar question: "Do I have to lock my house at night? It depends. Your profile says that you are in Tuscon, so you know that some areas are safe and others are not. It is always safer to always lock all your doors all the time. But what is the cost of your time and mental health? The analogy breaks a little, because the time spent on safety in the worst case is much more than twisting a bolt lock.
Amazon EC2 is a moderately safe area. The main risks are opportunistic, widespread scans of common mistakes. In principle, organized crime scans common SSH accounts and web applications such as Wordpress, so they can use a credit card or other database.
You are a small fish in a gigantic ocean. No one cares about you specifically. Unless you specifically target government or organized crime, or someone with resources and motivation (hey, this is CouchDB - it happens!), Then it is ineffective to worry about boogeyman. Your opponents throw wide nets to get the biggest catch. No one is trying to fish.
I see it as an integral calculus in high school: measuring the area under the curve. Time goes to the right (x axis). Risky behavior increases (y axis). When you do something risky, you saved time and effort, but the schedule goes up. When you do something in a safe way, it takes time and effort, but the schedule moves down. Your goal is to minimize the long-term area under the curve, but each decision depends on the specific case. Every day, most Americans drive cars: the most dangerous behavior in American life. We intuitively understand the trade-off between risk and reward. Internet activity is the same.