Expand documentation for --insecure-registries

Signed-off-by: Michael Crosby <michael@docker.com>

docs/sources/reference/commandline/cli.md

@@ -71,7 +71,7 @@ expect an integer, and they can only be specified once.
       -H, --host=[]                              The socket(s) to bind to in daemon mode or connect to in client mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
       --icc=true                                 Enable inter-container communication
       --insecure-registry=[]                     Make these registries use http
-      --ip=0.0.0.0                             Default IP address to use when binding container ports
+      --ip=0.0.0.0                               Default IP address to use when binding container ports
       --ip-forward=true                          Enable net.ipv4.ip_forward
       --ip-masq=true                             Enable IP masquerading for bridge's IP range
       --iptables=true                            Enable Docker's addition of iptables rules
@@ -196,6 +196,16 @@ can be disabled with --ip-masq=false.
 
 
 
+By default docker will assume all registries are securied via TLS.  Prior versions
+of docker used an auto fallback if a registry did not support TLS.  This introduces
+the opportunity for MITM attacks so in Docker 1.2 the user must specify `--insecure-registries` 
+when starting the Docker daemon to state which registries are not using TLS and to communicate
+with these registries via plain text.  If you are running a local registry over plain text
+on `127.0.0.1:5000` you will be required to specify `--insecure-registries 127.0.0.1:500` 
+when starting the docker daemon to be able to push and pull images to that registry.
+No automatic fallback will happen after Docker 1.2 to detect if a registry is using
+HTTP or HTTPS.
+
 Docker supports softlinks for the Docker data directory
 (`/var/lib/docker`) and for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be set like this: