Currently Mesos agents do not verify that the messages they receive are coming from the leading master and haven't been tampered with. In untrusted environments this can be a source of security issues.
There are a couple of ways to fix this:
1) implement Master authentication on the transport or application level for each agent<->master connection (this might not be sufficient to distinguish a master from the leading master)
2) implement Master authentication on the transport level (for the connection to be encrypted) upon agent registration and pass a secret to the master for all subsequent, possibly separate and unencrypted, connections (the secret can be leaked on an unencrypted connection).