diff --git a/cmd/ipfs/daemon.go b/cmd/ipfs/daemon.go
index 9778168540e6126d7b6dda25083e03a07b0864b3..a49282949e69bf7089bef3d7fcfe07bc45ed88fa 100644
--- a/cmd/ipfs/daemon.go
+++ b/cmd/ipfs/daemon.go
@@ -19,6 +19,7 @@ import (
 	commands "github.com/ipfs/go-ipfs/core/commands"
 	corehttp "github.com/ipfs/go-ipfs/core/corehttp"
 	"github.com/ipfs/go-ipfs/core/corerouting"
+	conn "github.com/ipfs/go-ipfs/p2p/net/conn"
 	peer "github.com/ipfs/go-ipfs/p2p/peer"
 	fsrepo "github.com/ipfs/go-ipfs/repo/fsrepo"
 	util "github.com/ipfs/go-ipfs/util"
@@ -32,7 +33,8 @@ const (
 	writableKwd               = "writable"
 	ipfsMountKwd              = "mount-ipfs"
 	ipnsMountKwd              = "mount-ipns"
-	unrestrictedApiAccess     = "unrestricted-api"
+	unrestrictedApiAccessKwd  = "unrestricted-api"
+	unencryptTransportKwd     = "disable-transport-encryption"
 	// apiAddrKwd    = "address-api"
 	// swarmAddrKwd  = "address-swarm"
 )
@@ -76,7 +78,8 @@ the port as you would other services or database (firewall, authenticated proxy,
 		cmds.BoolOption(writableKwd, "Enable writing objects (with POST, PUT and DELETE)"),
 		cmds.StringOption(ipfsMountKwd, "Path to the mountpoint for IPFS (if using --mount)"),
 		cmds.StringOption(ipnsMountKwd, "Path to the mountpoint for IPNS (if using --mount)"),
-		cmds.BoolOption(unrestrictedApiAccess, "Allow API access to unlisted hashes"),
+		cmds.BoolOption(unrestrictedApiAccessKwd, "Allow API access to unlisted hashes"),
+		cmds.BoolOption(unencryptTransportKwd, "Disable transport encryption (for debugging protocols)"),
 
 		// TODO: add way to override addresses. tricky part: updating the config if also --init.
 		// cmds.StringOption(apiAddrKwd, "Address for the daemon rpc API (overrides config)"),
@@ -110,6 +113,14 @@ func daemonFunc(req cmds.Request, res cmds.Response) {
 		}
 	}()
 
+	// check transport encryption flag.
+	unencrypted, _, _ := req.Option(unencryptTransportKwd).Bool()
+	if unencrypted {
+		log.Warningf(`Running with --%s: All connections are UNENCRYPTED.
+		You will not be able to connect to regular encrypted networks.`, unencryptTransportKwd)
+		conn.EncryptConnections = false
+	}
+
 	// first, whether user has provided the initialization flag. we may be
 	// running in an uninitialized state.
 	initialize, _, err := req.Option(initOptionKwd).Bool()
@@ -259,9 +270,9 @@ func serveHTTPApi(req cmds.Request) (error, <-chan error) {
 	apiMaddr = apiLis.Multiaddr()
 	fmt.Printf("API server listening on %s\n", apiMaddr)
 
-	unrestricted, _, err := req.Option(unrestrictedApiAccess).Bool()
+	unrestricted, _, err := req.Option(unrestrictedApiAccessKwd).Bool()
 	if err != nil {
-		return fmt.Errorf("serveHTTPApi: Option(%s) failed: %s", unrestrictedApiAccess, err), nil
+		return fmt.Errorf("serveHTTPApi: Option(%s) failed: %s", unrestrictedApiAccessKwd, err), nil
 	}
 
 	apiGw := corehttp.NewGateway(corehttp.GatewayConfig{
diff --git a/p2p/net/conn/dial.go b/p2p/net/conn/dial.go
index 43831c3efef74c759575b4fbb24d30f3d46c4ae1..a9a1a7aaf939a33be42a252addcd27e00ae9d68b 100644
--- a/p2p/net/conn/dial.go
+++ b/p2p/net/conn/dial.go
@@ -60,7 +60,7 @@ func (d *Dialer) Dial(ctx context.Context, raddr ma.Multiaddr, remote peer.ID) (
 			return
 		}
 
-		if d.PrivateKey == nil {
+		if d.PrivateKey == nil || EncryptConnections == false {
 			log.Warning("dialer %s dialing INSECURELY %s at %s!", d, remote, raddr)
 			connOut = c
 			return
diff --git a/p2p/net/conn/interface.go b/p2p/net/conn/interface.go
index 3a61911af82250e2dceb4f7b58af522d5d10a0f2..82008593057dd919124472696b270b43078e377d 100644
--- a/p2p/net/conn/interface.go
+++ b/p2p/net/conn/interface.go
@@ -93,3 +93,11 @@ type Listener interface {
 	// Any blocked Accept operations will be unblocked and return errors.
 	Close() error
 }
+
+// EncryptConnections is a global parameter because it should either be
+// enabled or _completely disabled_. I.e. a node should only be able to talk
+// to proper (encrypted) networks if it is encrypting all its transports.
+// Running a node with disabled transport encryption is useful to debug the
+// protocols, achieve implementation interop, or for private networks which
+// -- for whatever reason -- _must_ run unencrypted.
+var EncryptConnections = true
diff --git a/p2p/net/conn/listen.go b/p2p/net/conn/listen.go
index ea91e5a56d4ccfaf2abc606bdb9ece3876c1a43b..71b89d76703eddb30e86aa8553e37be970717436 100644
--- a/p2p/net/conn/listen.go
+++ b/p2p/net/conn/listen.go
@@ -107,7 +107,7 @@ func (l *listener) Accept() (net.Conn, error) {
 			return nil, err
 		}
 
-		if l.privk == nil {
+		if l.privk == nil || EncryptConnections == false {
 			log.Warning("listener %s listening INSECURELY!", l)
 			return c, nil
 		}