diff --git a/smack-core/src/main/java/org/jivesoftware/smack/ConnectionConfiguration.java b/smack-core/src/main/java/org/jivesoftware/smack/ConnectionConfiguration.java
index e74dc272f..125c691ed 100644
--- a/smack-core/src/main/java/org/jivesoftware/smack/ConnectionConfiguration.java
+++ b/smack-core/src/main/java/org/jivesoftware/smack/ConnectionConfiguration.java
@@ -142,7 +142,7 @@ public abstract class ConnectionConfiguration {
/**
* Returns the TLS security mode used when making the connection. By default,
- * the mode is {@link SecurityMode#enabled}.
+ * the mode is {@link SecurityMode#ifpossible}.
*
* @return the security mode.
*/
@@ -284,8 +284,13 @@ public abstract class ConnectionConfiguration {
/**
* Security via TLS encryption is used whenever it's available. This is the
* default setting.
+ *
+ * Do not use this setting unless you can't use {@link #required}. An attacker could easily perform a
+ * Man-in-the-middle attack and prevent TLS from being used, leaving you with an unencrypted (and
+ * unauthenticated) connection.
+ *
*/
- enabled,
+ ifpossible,
/**
* Security via TLS encryption is disabled and only un-encrypted connections will
@@ -360,7 +365,7 @@ public abstract class ConnectionConfiguration {
* @param the resulting connection configuration type parameter.
*/
public static abstract class Builder, C extends ConnectionConfiguration> {
- private SecurityMode securityMode = SecurityMode.enabled;
+ private SecurityMode securityMode = SecurityMode.ifpossible;
private String keystorePath = System.getProperty("javax.net.ssl.keyStore");
private String keystoreType = "jks";
private String pkcs11Library = "pkcs11.config";
@@ -455,7 +460,7 @@ public abstract class ConnectionConfiguration {
/**
* Sets the TLS security mode used when making the connection. By default,
- * the mode is {@link SecurityMode#enabled}.
+ * the mode is {@link SecurityMode#ifpossible}.
*
* @param securityMode the security mode.
* @return a reference to this builder.