diff --git a/public/install.sh b/public/install.sh
index d37521b940..c8323bc20a 100755
--- a/public/install.sh
+++ b/public/install.sh
@@ -1,7 +1,9 @@
 #!/usr/bin/env sh
 . install/000_header.sh
 . install/010_manifest.sh
+. install/020_flags.sh
 . install/100_log.sh
 . install/110_assert.sh
+. install/200_downloader.sh
 . install/300_license.sh
 . install/999_footer.sh
diff --git a/public/install/020_flags.sh b/public/install/020_flags.sh
new file mode 100644
index 0000000000..39fdd72246
--- /dev/null
+++ b/public/install/020_flags.sh
@@ -0,0 +1,56 @@
+## 020_flags.sh
+
+# A newline separated list of boolean flags. See the read_flags function to see how it's parsed.
+DFX_BOOL_FLAGS=""
+
+# Make a BOOLEAN flag and its description.
+#
+# Arguments:
+#   $1 - The long name of the boolean. This will be used on the command line. The name of the
+#        environment variable will be `flag_NAME` where NAME is this argument, capitalized.
+#        The value of this argument is empty string if not specified, and "1" if it is.
+#   $2 - A description of the flag. This is not currently used but will be when we have enough
+#        flags to implement help.
+define_flag_BOOL() {
+    local VARNAME="flag_$(echo $1 | tr /a-z/ /A-Z)"
+    eval $VARNAME="\${$VARNAME:-}"
+    DFX_BOOL_FLAGS="${DFX_BOOL_FLAGS}--${1} $VARNAME $2"
+}
+
+# Get the flag name of a line in the flag description.
+get_flag_name() {
+    echo $1
+}
+
+# Get the variable name of a line in the flag description.
+get_var_name() {
+    echo $2
+}
+
+# Read all the command line flags and set the flag_XXXX environment variables.
+#
+# Arguments:
+#   $* - Flags to parse.
+# Side Effects:
+#   Environment variables are set according to flags defined and flags.
+read_flags() {
+    # Set values from command line.
+    while [[ "$@" ]]; do
+        local ARG=$1
+        shift
+
+        OLD_IFS="$IFS"
+        IFS=$'\n'
+        for line in ${DFX_BOOL_FLAGS}; do
+            [ "$line" ] || break
+
+            IFS="$OLD_IFS"
+            FLAG=$(get_flag_name $line)
+            VARNAME=$(get_var_name $line)
+
+            if [ "$ARG" == "$FLAG" ]; then
+                eval $VARNAME="1"
+            fi
+        done
+    done
+}
diff --git a/public/install/100_log.sh b/public/install/100_log.sh
index 721c2e7308..01398638fa 100644
--- a/public/install/100_log.sh
+++ b/public/install/100_log.sh
@@ -12,6 +12,14 @@ say() {
     printf 'dfinity-sdk: %s\n' "$1"
 }
 
+warn() {
+    if $_ansi_escapes_are_valid; then
+        printf "\33[1mwarn:\33[0m %s\n" "$1" 1>&2
+    else
+        printf '%s\n' "$1" 1>&2
+    fi
+}
+
 err() {
     say "$1" >&2
     exit 1
diff --git a/public/install/200_downloader.sh b/public/install/200_downloader.sh
new file mode 100644
index 0000000000..87af79d604
--- /dev/null
+++ b/public/install/200_downloader.sh
@@ -0,0 +1,69 @@
+## 200_downloader.sh
+
+define_flag_BOOL "insecure" "Allows downloading from insecure URLs, either using HTTP or TLS 1.2 or less."
+
+check_help_for() {
+    local _cmd
+    local _arg
+    local _ok
+    _cmd="$1"
+    _ok="y"
+    shift
+
+    # If we're running on OS-X, older than 10.13, then we always
+    # fail to find these options to force fallback
+    if check_cmd sw_vers; then
+        if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then
+            # Older than 10.13
+            echo "Warning: Detected OS X platform older than 10.13"
+            _ok="n"
+        fi
+    fi
+
+    for _arg in "$@"; do
+        if ! "$_cmd" --help | grep -q -- "$_arg"; then
+            _ok="n"
+        fi
+    done
+
+    test "$_ok" = "y"
+}
+
+# This wraps curl or wget. Try curl first, if not installed, use wget instead.
+# Arguments:
+#   $1 - URL to download.
+#   $2 - Path to output the download. Use - to output to stdout.
+downloader() {
+    local _dld
+    if check_cmd curl; then
+        _dld=curl
+    elif check_cmd wget; then
+        _dld=wget
+    else
+        _dld='curl or wget' # to be used in error message of need_cmd
+    fi
+
+    if [ "$1" = --check ]; then
+        need_cmd "$_dld"
+    elif [ "$_dld" = curl ]; then
+        if check_help_for curl --proto --tlsv1.3; then
+            curl --proto '=https' --tls-max=1.3 --silent --show-error --fail --location "$1" --output "$2"
+        elif ! [ "$_flag_INSECURE" ]; then
+            warn "Not forcing TLS v1.3, this is potentially less secure"
+            curl --silent --show-error --fail --location "$1" --output "$2"
+        else
+            err "TLS 1.3 is not supported on this platform. To force using it, use the --insecure flag."
+        fi
+    elif [ "$_dld" = wget ]; then
+        if check_help_for wget --https-only --secure-protocol; then
+            wget --https-only --secure-protocol=TLSv1_3 "$1" -O "$2"
+        elif ! [ "$_flag_INSECURE" ]; then
+            warn "Not forcing TLS v1.3, this is potentially less secure"
+            wget "$1" -O "$2"
+        else
+            err "TLS 1.3 is not supported on this platform. To force using it, use the --insecure flag."
+        fi
+    else
+        err "Unknown downloader" # should not reach here
+    fi
+}
diff --git a/public/install/999_footer.sh b/public/install/999_footer.sh
index d46e147feb..2ff532b85d 100644
--- a/public/install/999_footer.sh
+++ b/public/install/999_footer.sh
@@ -80,6 +80,10 @@ main() {
             esac
         fi
     fi
+
+    # Read flags.
+    read_flags "$@"
+
     log "Executing DFINITY SDK install script, commit: $SCRIPT_COMMIT_DESC"
 
     downloader --check
@@ -188,42 +192,6 @@ get_architecture() {
     RETVAL="$_arch"
 }
 
-# This wraps curl or wget. Try curl first, if not installed,
-# use wget instead.
-# Arguments:
-#   $1 - URL to download.
-#   $2 - Path to output the download. Use - to output to stdout.
-downloader() {
-    local _dld
-    if check_cmd curl; then
-        _dld=curl
-    elif check_cmd wget; then
-        _dld=wget
-    else
-        _dld='curl or wget' # to be used in error message of need_cmd
-    fi
-
-    if [ "$1" = --check ]; then
-        need_cmd "$_dld"
-    elif [ "$_dld" = curl ]; then
-        if ! check_help_for curl --proto --tlsv1.2; then
-            echo "Warning: Not forcing TLS v1.2, this is potentially less secure"
-            curl --silent --show-error --fail --location "$1" --output "$2"
-        else
-            curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2"
-        fi
-    elif [ "$_dld" = wget ]; then
-        if ! check_help_for wget --https-only --secure-protocol; then
-            echo "Warning: Not forcing TLS v1.2, this is potentially less secure"
-            wget "$1" -O "$2"
-        else
-            wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2"
-        fi
-    else
-        err "Unknown downloader" # should not reach here
-    fi
-}
-
 install_uninstall_script() {
     set +u
     local uninstall_file_path
@@ -272,31 +240,4 @@ EOF
     ensure chmod u+x "${uninstall_file_path}"
 }
 
-check_help_for() {
-    local _cmd
-    local _arg
-    local _ok
-    _cmd="$1"
-    _ok="y"
-    shift
-
-    # If we're running on OS-X, older than 10.13, then we always
-    # fail to find these options to force fallback
-    if check_cmd sw_vers; then
-        if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then
-            # Older than 10.13
-            echo "Warning: Detected OS X platform older than 10.13"
-            _ok="n"
-        fi
-    fi
-
-    for _arg in "$@"; do
-        if ! "$_cmd" --help | grep -q -- "$_arg"; then
-            _ok="n"
-        fi
-    done
-
-    test "$_ok" = "y"
-}
-
 main "$@" || exit $?