Disabled TLS Certificate Verification
Disabling TLS certificate verification keeps traffic encrypted but unauthenticated, exposing it to man-in-the-middle interception and tampering. Keep verification on and fix the root cause by trusting the proper CA or installing valid certificates.
Disabled TLS certificate verification is the practice of configuring an HTTPS client to skip validating the server's certificate — verify=False, InsecureSkipVerify: true, a trust-all TrustManager, curl -k, or rejectUnauthorized: false. Doing so keeps the connection encrypted but removes authentication, so the client can no longer tell whether it is talking to the real server or an attacker in the middle.
Why It Happens
It is the fastest way to make a TLS error go away. Self-signed certificates in development, expired or misconfigured certs, corporate TLS-inspecting proxies, and clock skew all produce verification failures, and disabling the check unblocks work immediately. The flag is copied from a Stack Overflow answer into production code, or set globally during testing and never removed. The connection still appears to work, hiding the loss of protection.
Why It Hurts
Certificate verification is what makes HTTPS trustworthy: it proves the server's identity and prevents man-in-the-middle attacks. With verification off, anyone positioned on the network — a malicious Wi-Fi hotspot, a compromised router, an ARP-spoofing attacker — can present their own certificate, decrypt and read the traffic, steal credentials and tokens, and silently alter responses. The channel is encrypted but to the wrong party. The danger is invisible: everything works in testing, and the gap is only exploited by an active attacker.
Warning Signs
- Code or config contains
verify=False,InsecureSkipVerify,rejectUnauthorized: false, or trust-all certificate managers. - Scripts call
curl -korwget --no-check-certificateagainst real services. - A global flag disables verification for an entire process.
- Verification was disabled to work around a specific cert problem and never re-enabled.
Better Alternatives
Keep verification on and fix the underlying certificate issue. For internal services with private CAs, add the CA to the client's trusted bundle rather than disabling checks. Use valid certificates everywhere (Let's Encrypt makes this free and automatic); rotate before expiry. For TLS-inspecting proxies, install the proxy's CA in the trust store. For high-assurance connections, add certificate or public-key pinning. If a self-signed cert is genuinely needed in development, trust that specific certificate rather than disabling validation globally.
How to Refactor Out of It
- Grep the codebase and scripts for verification-disabling flags and trust-all managers.
- For each, identify the real cause of the original TLS error.
- Fix it properly: install a valid cert, add the private CA to the trust bundle, or trust the specific dev certificate.
- Re-enable verification and remove the override.
- Add linting or policy checks that fail builds containing verification-disabling flags.
- Test connections against a known-bad certificate to confirm they are now rejected.