diff --git a/lib/config/config.go b/lib/config/config.go
index 62f2b278b..550a485f3 100644
--- a/lib/config/config.go
+++ b/lib/config/config.go
@@ -53,14 +53,14 @@ var (
 	// DefaultDiscoveryServersV4 should be substituted when the configuration
 	// contains <globalAnnounceServer>default-v4</globalAnnounceServer>.
 	DefaultDiscoveryServersV4 = []string{
-		"https://discovery.syncthing.net/v2/?noannounce&id=LYXKCHX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW",
-		"https://discovery-v4.syncthing.net/v2/?nolookup&id=LYXKCHX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW",
+		"https://discovery-lookup.syncthing.net/v2/?noannounce",
+		"https://discovery-announce-v4.syncthing.net/v2/?nolookup",
 	}
 	// DefaultDiscoveryServersV6 should be substituted when the configuration
 	// contains <globalAnnounceServer>default-v6</globalAnnounceServer>.
 	DefaultDiscoveryServersV6 = []string{
-		"https://discovery.syncthing.net/v2/?noannounce&id=LYXKCHX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW",
-		"https://discovery-v6.syncthing.net/v2/?nolookup&id=LYXKCHX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW",
+		"https://discovery-lookup.syncthing.net/v2/?noannounce",
+		"https://discovery-announce-v6.syncthing.net/v2/?nolookup",
 	}
 	// DefaultDiscoveryServers should be substituted when the configuration
 	// contains <globalAnnounceServer>default</globalAnnounceServer>.
diff --git a/lib/upgrade/upgrade_supported.go b/lib/upgrade/upgrade_supported.go
index 1c8d7b648..db2c17e6a 100644
--- a/lib/upgrade/upgrade_supported.go
+++ b/lib/upgrade/upgrade_supported.go
@@ -14,7 +14,6 @@ import (
 	"archive/zip"
 	"bytes"
 	"compress/gzip"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -61,26 +60,18 @@ const (
 	maxMetadataSize = 10 << 20 // 10 MiB
 )
 
-// This is an HTTP/HTTPS client that does *not* perform certificate
-// validation. We do this because some systems where Syncthing runs have
-// issues with old or missing CA roots. It doesn't actually matter that we
-// load the upgrade insecurely as we verify an ECDSA signature of the actual
-// binary contents before accepting the upgrade.
-var insecureHTTP = &http.Client{
+var upgradeClient = &http.Client{
 	Timeout: readTimeout,
 	Transport: &http.Transport{
 		DialContext: dialer.DialContext,
 		Proxy:       http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
-		},
 	},
 }
 
 var osVersion string
 
 func init() {
-	_ = http2.ConfigureTransport(insecureHTTP.Transport.(*http.Transport))
+	_ = http2.ConfigureTransport(upgradeClient.Transport.(*http.Transport))
 	osVersion, _ = host.KernelVersion()
 	osVersion = strings.TrimSpace(osVersion)
 }
@@ -95,7 +86,7 @@ func insecureGet(url, version string) (*http.Response, error) {
 	if osVersion != "" {
 		req.Header.Set("Syncthing-Os-Version", osVersion)
 	}
-	return insecureHTTP.Do(req)
+	return upgradeClient.Do(req)
 }
 
 // FetchLatestReleases returns the latest releases. The "current" parameter
@@ -233,7 +224,7 @@ func readRelease(archiveName, dir, url string) (string, error) {
 	}
 
 	req.Header.Add("Accept", "application/octet-stream")
-	resp, err := insecureHTTP.Do(req)
+	resp, err := upgradeClient.Do(req)
 	if err != nil {
 		return "", err
 	}