By default, the connections between the chef-client and the chef-server are not secured. This is a short post on howto encrypt and verify your connections.
As of chef-11 (unlike chef-10), SSL is enabled by default. But (naturally, as Opscode cannot create trusted certificates for your domain) the certificates are not verified. This essentially means that the connection is not secure at all.
Unless you only use chef in a trusted network, you should invest some time in securing your clients connections.