diff --git a/cmd/kubecfg/kubecfg.go b/cmd/kubecfg/kubecfg.go
index 8f97cdf05ad..b93c2ba94a1 100644
--- a/cmd/kubecfg/kubecfg.go
+++ b/cmd/kubecfg/kubecfg.go
@@ -201,7 +201,7 @@ func main() {
 		// TODO: eventually apiserver should start on 443 and be secure by default
 		clientConfig.Host = "http://localhost:8080"
 	}
-	if client.IsConfigTransportSecure(clientConfig) {
+	if client.IsConfigTransportTLS(clientConfig) {
 		auth, err := kubecfg.LoadAuthInfo(*authConfig, os.Stdin)
 		if err != nil {
 			glog.Fatalf("Error loading auth: %v", err)
diff --git a/pkg/client/helper.go b/pkg/client/helper.go
index 176259014b6..2c64e2a5165 100644
--- a/pkg/client/helper.go
+++ b/pkg/client/helper.go
@@ -172,7 +172,7 @@ func TransportFor(config *Config) (http.RoundTripper, error) {
 // DefaultServerURL converts a host, host:port, or URL string to the default base server API path
 // to use with a Client at a given API version following the standard conventions for a
 // Kubernetes API.
-func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.URL, error) {
+func DefaultServerURL(host, prefix, version string, defaultTLS bool) (*url.URL, error) {
 	if host == "" {
 		return nil, fmt.Errorf("host must be a URL or a host:port pair")
 	}
@@ -186,7 +186,7 @@ func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.UR
 	}
 	if hostURL.Scheme == "" {
 		scheme := "http://"
-		if defaultSecure {
+		if defaultTLS {
 			scheme = "https://"
 		}
 		hostURL, err = url.Parse(scheme + base)
@@ -213,13 +213,13 @@ func DefaultServerURL(host, prefix, version string, defaultSecure bool) (*url.UR
 	return hostURL, nil
 }
 
-// IsConfigTransportSecure returns true iff the provided config will result in a protected
+// IsConfigTransportTLS returns true iff the provided config will result in a protected
 // connection to the server when it is passed to client.New() or client.RESTClientFor().
 // Use to determine when to send credentials over the wire.
 //
 // Note: the Insecure flag is ignored when testing for this value, so MITM attacks are
 // still possible.
-func IsConfigTransportSecure(config *Config) bool {
+func IsConfigTransportTLS(config *Config) bool {
 	baseURL, err := defaultServerUrlFor(config)
 	if err != nil {
 		return false
@@ -227,16 +227,17 @@ func IsConfigTransportSecure(config *Config) bool {
 	return baseURL.Scheme == "https"
 }
 
-// defaultServerUrlFor is shared between IsConfigSecure and RESTClientFor
+// defaultServerUrlFor is shared between IsConfigTransportTLS and RESTClientFor
 func defaultServerUrlFor(config *Config) (*url.URL, error) {
 	version := defaultVersionFor(config)
 	// TODO: move the default to secure when the apiserver supports TLS by default
-	defaultSecure := config.CertFile != ""
+	// config.Insecure is taken to mean "I want HTTPS but don't bother checking the certs against a CA."
+	defaultTLS := config.CertFile != "" || config.Insecure
 	host := config.Host
 	if host == "" {
 		host = "localhost"
 	}
-	return DefaultServerURL(host, config.Prefix, version, defaultSecure)
+	return DefaultServerURL(host, config.Prefix, version, defaultTLS)
 }
 
 // defaultVersionFor is shared between defaultServerUrlFor and RESTClientFor
diff --git a/pkg/client/helper_test.go b/pkg/client/helper_test.go
index d24296ffc40..485e7eb425a 100644
--- a/pkg/client/helper_test.go
+++ b/pkg/client/helper_test.go
@@ -47,40 +47,47 @@ func TestTransportFor(t *testing.T) {
 	}
 }
 
-func TestIsConfigTransportSecure(t *testing.T) {
+func TestIsConfigTransportTLS(t *testing.T) {
 	testCases := []struct {
-		Config *Config
-		Secure bool
+		Config       *Config
+		TransportTLS bool
 	}{
 		{
-			Config: &Config{},
-			Secure: false,
+			Config:       &Config{},
+			TransportTLS: false,
 		},
 		{
 			Config: &Config{
 				Host: "https://localhost",
 			},
-			Secure: true,
+			TransportTLS: true,
 		},
 		{
 			Config: &Config{
 				Host:     "localhost",
 				CertFile: "foo",
 			},
-			Secure: true,
+			TransportTLS: true,
 		},
 		{
 			Config: &Config{
 				Host:     "///:://localhost",
 				CertFile: "foo",
 			},
-			Secure: false,
+			TransportTLS: false,
+		},
+		{
+			Config: &Config{
+				Host:     "1.2.3.4:567",
+				Insecure: true,
+			},
+			TransportTLS: true,
 		},
 	}
 	for _, testCase := range testCases {
-		secure := IsConfigTransportSecure(testCase.Config)
-		if testCase.Secure != secure {
-			t.Errorf("expected %v for %#v", testCase.Secure, testCase.Config)
+		useTLS := IsConfigTransportTLS(testCase.Config)
+		if testCase.TransportTLS != useTLS {
+			t.Errorf("expected %v for %#v", testCase.TransportTLS, testCase.Config)
 		}
 	}
 }
diff --git a/pkg/kubectl/cmd/cmd.go b/pkg/kubectl/cmd/cmd.go
index d33f1ee0e3a..3c01eec4ffd 100644
--- a/pkg/kubectl/cmd/cmd.go
+++ b/pkg/kubectl/cmd/cmd.go
@@ -170,7 +170,7 @@ func GetKubeConfig(cmd *cobra.Command) *client.Config {
 	}
 	config.Host = host
 
-	if client.IsConfigTransportSecure(config) {
+	if client.IsConfigTransportTLS(config) {
 		// Get the values from the file on disk (or from the user at the
 		// command line). Override them with the command line parameters, if
 		// provided.