diff --git a/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java b/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
index 7792cb2ce..e542bdd79 100644
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
@@ -73,6 +73,9 @@ public class CheckHostTrustController implements FxController {
 			trust(); // trust *.cryptomator.cloud by default, domain is owned by Cryptomator maintainers
 		} else if (containsAllowedHosts(env.hubAllowedHosts())) {
 			trust(); // trust hosts explicitly allowlisted via system property
+		} else if (isHttpHost() && !isLocalhost()) {
+			LOG.warn("Denying attempt to connect to hub instance via unencrypted HTTP.");
+			deny(); // never trust http hosts except for local testing
 		} else if (env.hubTrustOnFirstUse() && containsAllowedHosts(settings.trustedHosts)) {
 			trust(); // trust hosts previously allowlisted by the user
 		} else if (env.hubTrustOnFirstUse()) {
@@ -125,6 +128,18 @@ public class CheckHostTrustController implements FxController {
 		return canonicalHubHost.endsWith(TRUSTED_CRYPTOMATOR_CLOUD_DOMAIN) && canonicalAuthHost.endsWith(TRUSTED_CRYPTOMATOR_CLOUD_DOMAIN);
 	}
 
+	private boolean isHttpHost() {
+		var canonicalHubHost = hubConfig.getApiBaseUrl().getScheme();
+		var canonicalAuthHost = URI.create(hubConfig.authEndpoint).getScheme();
+		return "http".equalsIgnoreCase(canonicalHubHost) || "http".equalsIgnoreCase(canonicalAuthHost);
+	}
+
+	private boolean isLocalhost() {
+		var canonicalHubHost = hubConfig.getApiBaseUrl().getHost();
+		var canonicalAuthHost = URI.create(hubConfig.authEndpoint).getHost();
+		return "localhost".equalsIgnoreCase(canonicalHubHost) || "localhost".equalsIgnoreCase(canonicalAuthHost);
+	}
+
 	@VisibleForTesting
 	boolean containsAllowedHosts(Set<String> allowedHubHosts) {
 		var canonicalHubHost = getAuthority(hubConfig.getApiBaseUrl());