diff --git a/dwds/CHANGELOG.md b/dwds/CHANGELOG.md
index 4ca56d1fc..6117d6563 100644
--- a/dwds/CHANGELOG.md
+++ b/dwds/CHANGELOG.md
@@ -1,5 +1,10 @@
 ## 27.1.2-wip
 
+- Remove the `badCertificateCallback` override in `ProxyServerAssetReader` that
+  unconditionally accepted any TLS certificate when `isHttps: true` was set.
+  Callers that need to trust a private CA should configure a `SecurityContext`
+  on the `HttpClient` themselves. (CWE-295)
+
 ## 27.1.1
 
 - Fix deserialization errors appearing in the chrome console.
diff --git a/dwds/lib/src/readers/proxy_server_asset_reader.dart b/dwds/lib/src/readers/proxy_server_asset_reader.dart
index 4225ba9bd..4b248a583 100644
--- a/dwds/lib/src/readers/proxy_server_asset_reader.dart
+++ b/dwds/lib/src/readers/proxy_server_asset_reader.dart
@@ -32,9 +32,7 @@ class ProxyServerAssetReader implements AssetReader {
       ..maxConnectionsPerHost = 200
       ..idleTimeout = const Duration(seconds: 30)
       ..connectionTimeout = const Duration(seconds: 30);
-    final client = isHttps
-        ? IOClient(inner..badCertificateCallback = (cert, host, port) => true)
-        : IOClient(inner);
+    final client = IOClient(inner);
     var url = '$scheme$host:$assetServerPort/';
     if (root.isNotEmpty) url += '$root/';
     final handler = proxyHandler(url, client: client);