That's still not OK. Think about this: you are encrypting your traffic to prevent some third party from seeing/modifying it. But without authentication, you don't know who you're communicating with. So it could be that you're talking with the very third party that you were trying to protect from in the first place.