diff --git a/.github/scripts/tests.sh b/.github/scripts/tests.sh
index e5b47654..162c0e05 100755
--- a/.github/scripts/tests.sh
+++ b/.github/scripts/tests.sh
@@ -24,14 +24,12 @@ cargo binstall --help >/dev/null
 # Test that the installed binaries can be run
 cargo binstall --help >/dev/null
 
-# Install binaries using secure mode
 min_tls=1.3
 [[ "${2:-}" == "Windows" ]] && min_tls=1.2 # WinTLS on GHA doesn't support 1.3 yet
 
 "./$1" binstall \
     --force \
     --log-level debug \
-    --secure \
     --min-tls-version $min_tls \
     --no-confirm \
     cargo-binstall
diff --git a/crates/bin/src/args.rs b/crates/bin/src/args.rs
index aead6a6d..f1cd7cbd 100644
--- a/crates/bin/src/args.rs
+++ b/crates/bin/src/args.rs
@@ -113,15 +113,8 @@ pub struct Args {
     #[clap(help_heading = "Options", long)]
     pub install_path: Option<PathBuf>,
 
-    /// Enforce downloads over secure transports only.
-    ///
-    /// Insecure HTTP downloads will be removed completely in the future; in the meantime this
-    /// option forces a fail when the remote endpoint uses plaintext HTTP or insecure TLS suites.
-    ///
-    /// Without this option, plain HTTP will warn.
-    ///
-    /// Implies `--min-tls-version=1.2`.
-    #[clap(help_heading = "Options", long)]
+    /// Deprecated, here for back-compat only. Secure is now on by default.
+    #[clap(hide(true), long)]
     pub secure: bool,
 
     /// Force a crate to be installed even if it is already installed.
diff --git a/crates/bin/src/entry.rs b/crates/bin/src/entry.rs
index 290dc65a..68e017d3 100644
--- a/crates/bin/src/entry.rs
+++ b/crates/bin/src/entry.rs
@@ -32,7 +32,7 @@ pub async fn install_crates(mut args: Args, jobserver_client: LazyJobserverClien
     let desired_targets = get_desired_targets(args.targets.take());
 
     // Initialize reqwest client
-    let client = create_reqwest_client(args.secure, args.min_tls_version.map(|v| v.into()))?;
+    let client = create_reqwest_client(args.min_tls_version.map(|v| v.into()))?;
 
     // Build crates.io api client
     let crates_io_api_client = crates_io_api::AsyncClient::new(
diff --git a/crates/lib/src/helpers/remote.rs b/crates/lib/src/helpers/remote.rs
index ddfdce82..95492cc0 100644
--- a/crates/lib/src/helpers/remote.rs
+++ b/crates/lib/src/helpers/remote.rs
@@ -8,19 +8,13 @@ use url::Url;
 
 use crate::errors::BinstallError;
 
-pub fn create_reqwest_client(
-    secure: bool,
-    min_tls: Option<tls::Version>,
-) -> Result<Client, BinstallError> {
+pub fn create_reqwest_client(min_tls: Option<tls::Version>) -> Result<Client, BinstallError> {
     const USER_AGENT: &str = concat!(env!("CARGO_PKG_NAME"), "/", env!("CARGO_PKG_VERSION"));
 
-    let mut builder = ClientBuilder::new().user_agent(USER_AGENT);
-
-    if secure {
-        builder = builder
-            .https_only(true)
-            .min_tls_version(tls::Version::TLS_1_2);
-    }
+    let mut builder = ClientBuilder::new()
+        .user_agent(USER_AGENT)
+        .https_only(true)
+        .min_tls_version(tls::Version::TLS_1_2);
 
     if let Some(ver) = min_tls {
         builder = builder.min_tls_version(ver);